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1. Introduction 

1. 1 Document Purpose and Audience 

The purpose of this document is to describe the architecture and specification of the 
DeepSi^t Attack Quarantine System (AQS) version 1 .0. It will provide the development 
team with the details necessary to estimate and code the application. It will provide QA 
team the details necessary to write test plans and testing frameworks. 

The audience for this document includes: 

• Product management 

• The development team 

• The maintenance team 

• The testing team 

• The communications team responsible for help and training materials 



1.2 Scope and Description of the Modute 

Within the scope of this document is the description of the functional requirements of the 
core subsystems of the Attack Quarantine System: VMware-based Honey Pot Server, 
Honey Pot Monitoring & Management subsystem Network Address Translation 
subsystem. Network Access Control subsystem, Network Traffic Capture subsystem, 
Honey Pot Support Services subsystem, Post-Intrusion Automated Analysis subsystem, 
and Web-based Interface. 

How to install an operating system and/or applications to a VMware virtual disk, what 
operating system and/or applications to install, or how to configure them, is outside of the 
scope of this document, except for the requirements set for in Section 5.1.1. 

The specification of the Malware Oracle system is outside of the scope of this document. 
Please, refer to the Malware Oracle Functional Specification Document. 

The specification of the Inquisitor system is outside of the scope of this document. 
Please, refer to the Inquisitor Functional Specification Document. 

The specification of the Digital Immune System is outside of the scope of this document. 
Please, refer to the document Immune System network protocol, twelfth draft. 

1.3 Performance Criteria 

The VMware honey pot server must be capable of executing eight virtual honey pot 
systems concurrently. 

The web-based interface must be capable of serving twenty concurrent operators. 

The post-intrusion automated analysis subsystem must be capable of analyzing ten 
breaches per hour. 
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The network address translation subsystem must be capable of handling 65,536 
addresses, 

The network capture subsystem must be capable to records network traffic without any 
packet loss. 



1.4 Standards 

The pcap dump file format is a defacto standard. While no standard documents the 
format it is documented by the pcap library sources. 

The use of Microsoft SQL Server data types and stored procedures breaks standard 
compliance with the SQL standard. 



1.5 International Implications 

Special care must be taken when handling and displaying data fi*om honey pot systems 
that use a different character set and character encoding (e.g. Windows NT/2000/XP 
systems and Unicode). 

1.6 Additional Documentation 

These are the additional documents that describe the module or other modules it interacts 
with. 



Document Name 


Description 


DeepSight AQS LO Business 
Requirements Document 


The business requirements for the 
module. 


DeepSight Malware Oracle 2.0 
Functional Requirements Document 


The fimctional requirements for the 
Malware Oracle system. 


DeepSight Inquisitor LO Functional 
Requirements Document 


The fimctional requirements for the 
Inquisitor system. 


Immune System network protocol, 
twelfth draft 


DIS communications protocol 
specification. 
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2. Definitions, Acronyms and Abbreviations 



The following is a list of some of the acronyms and terms used in this module (and in the 
document) and their definitions. 



Term 


Definition 


AQS 


Attack Quarantine System 


DIS 


Digital Immune System 


TMS 


Threat Management System 


DHCP 


Dynamic Host Configuration Protocol 


DNS 


Domain Name System 


NAT 


Network Address Translation 


Honey Pot Archetype 


The honey pot "template" from a honey pot system is derived. 
A honey pot archetype can be used to derive multiple honey 
system, which can execute multiple times in parallel. 


Honey Pot System 


A honey pot derived from an archetype. A honey pot system 
may be executed multiple times serially. 


Honey Pot Instance 


One execution of a honey pot system. 
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3. Work Flow 

The following diagram describes the general workflow of a single honey pot system 
within the architecture: 
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4. Security 

By its very nature the AQS has a number of highly exposed components. For this reason 
the AQS network must not be connected to any Symantec production, development, or 
testing network. The AQS network is solely connected to the Internet. 

Within the AQS some components are meant to be breached, while others are meant to be 
secure. A subsystem, the Network Access Control subsystem, contains network traffic 
firom the breached systems. Furthermore, the secure hosts are hardened against attack. 
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5. Architecture 

The Attack Quarantine System (AQS) version 1.0 product is comprised by a number of 
different components: a honey pot server that hosts the virtualization software, honey pot 
monitoring & management subsystem, honey pot network traffic capture subsystem, and 
network access control subsystem; a network address translation subsystem; a honey pot 
support subsystem; a database; and a honey pot management server that hosts the post- 
intrusion analysis subsystem and the web-based interface. 

The AQSvl interacts with a number of extemal systems: the Intemet, the DeepSight 
Malware Oracle, DeepSight Inquisitor, and the Digital Immune System (DIS). 

The following diagram shows the AQS components and network topology. 
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The following diagram shows the AQS components and their interactions. 
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Multiple honey pot servers can be managed by a single honey pot management server, 
store data in a single database, and feed samples to DIS. The following diagram 
illustrates this configuration. 
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5,1 VMware Honey Pot Server 

The VMware honey pot server is the hearth of AQSvl. The VMware honey pot server 
executes a number of virtual honey pots and hosts a number of different subsystems. 

The subsystems the VMware honey pot server hosts are: 

• Virtualization Software, which executes the virtual honey pot system instances. 
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• Network Access Control (firewall), to isolate honey pot systems from each other, 

• Network Traffic Capture, which records network traffic to and from the honey pot 
systems. 

• Honey Pot Monitoring & Management, which determines when a honey pot 
system instance has been breached, saves its state, and initiates a new honey pot 
system instance. 

All of the files that comprise the AQSvl system in the VMware honey pot server are 
stored under the /var/dionaea directory. Executable components of AQSvl the VMware 
honey pot server are found in the /var/dionaea/bin directory, 

5.1.1 Virtualization Software 

A honey pot archetype is a template that determines the type and configuration of a 
honey pot system. Multiple honey pot systems can be defined from the same honey pot 
archetype. A honey pot instance is an execution or instantiation of a honey pot system 
from its archetype. Honey pot instances from the same honey pot system must be 
executed sequentially. Honey pot instances from different honey pot systems can be 
executed in parallel. 

The virtualization software creates virtual honey pot instances of honey pot systems 
based on their archetype. The virtualization software used in the VMware honey pot 
server is VMware GSX Server version 2.0 or later, running under the Linux operating 
system. 

All the files that comprise a honey pot archetype are stored in the directory 
/var/dionaea/archetypes/<fl^>, where <at> is the archetype id. All the files that comprise 
a honey pot system instance while it is executing are stored in the directory 
/var/dionaea/honeypots/<i«r>, where <id> is the honey pot system instance id. 

The file system data of a virtual honey pot system is stored in a single VMware virtual 
disk. A VMware virtual disk is composed of one or more virtual disk file, which have an 
extension of vmdk. The archetype VMware virtual disk files of a system are stored in the 
directory /var/dionaea/archetypes/<ar>/vmware and copied to the honey pot instance's 
/var/dionaea/honeypots/<irf> directory when the honey pot system instance is 
initialized. 

The creation of these archetype virtual disks is outside of the scope of this document, 
except for the following requirements on the configuration of the software installed on 
them: 

• Operating systems must be configured to use DHCP to discover and configure 
their network parameters, including their IP address, default gateway, and DNS 
servers. 

• Other than for DHCP the operating systems and applications must be configured 
so that they do not initiate network activity when left in an idle state. If the system 
still produces some network traffic it must be described in the form of a pcap 
filter in a file with the extension nign. This file is stored in the archetype 
/var/dionaea/archetypes/<a^> directory. 
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• Any web servers making use of HTTP over SSL/TLS (HTTPS) must be 
configured to use the same private key, so that their traffic can be decrypted an 
analyzed by network monitoring tools. 

The virtual machine configuration data for a honey pot achetype is stored in a single 
VMware configuration file, which has an extension of cfg. This file is store in the 
archetype directory /var/dionaea/archetypes/<ar>/vmware. 

Each virtual honey pot system must be configured to have at least: 

• An 8-bit video adapter. 

• A PS/2 keyboard. 

• A PS/2 mouse. 

• A single undoable IDE virtual disk of 4GB. 

• A single unconnected floppy drive. 

• A single imconnected CD-ROM drive. 

• A single network interface connected to a host-only network shared with no other 
virtual honey pot. 

It should also be configured to use the minimum amount of memory necessary to operate 



5.1.2 Network Access Control 

The Network Access Control (firewall) subsystem denies some network traffic fi'om/to 
honey pot systems. 

The firewall: 

• Drops any spoofed packet fi*om the honey pot systems. 

• Drops any cross-honey pot traffic. 

• Denies any packets to any of the honey pot server addresses 

• Denies traffic to any addresses in the support services network, except for traffic 
destined to the Honey Pot Support services. 

• Log all connection initiations to and fi-om the honey pot systems and the honey 



5.1.2.1 Reasoning 
Denying Spoofed Traffic 

It is common for breached hosts to be used for denial of service (DoS) attacks. Often 
these DoS attacks make use of spoofed packets. By dropping any spoofed packets that 
originate from the honey pot systems we will mitigate the chance that they will be used to 
attack a third-party. 



correctly. 



pot server. 
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Denying Cross-Honey Pot Traffic 

Malicious code or an attacker that has breached a honey pot instance may attempt to 
attack other honey pot instances since they are near each other in the IPv4 address space. 
The new honey pot instance it may choose to attack may already be under attack by some 
other attacker. The new attack against the other honey pot instance would contaminate 
the data associated with the previous attack against it. By dropping any cross-honey pot 
traffic we insure that an attack against one honey pot instance will not contaminate data 
about a concurrent attack against a different honey pot instance. 

Denying Traffic From Different Remote Host To One Honey Pot Instance 

This leaves open the possibility of two distinct extemal attackers launching attacks 
against the same honey pot instance concurrently, contaminating each other's data. By 
monitoring for the first incoming connection to the honey pot instance and dropping any 
packets that do not originate from the same source IPv4 address we can eliminate this 
contamination, at the expense of capturing attacks that involve more than one source 
address. Since the likelihood of two simultaneous attacks is low we have decided not to 
impose this filtering. 

Denying Traffic To The Honey Pot Server 

The honey pot server's security is paramount for the proper functioning of the AQS. An 
attacker that is trying to breach, or has breached, a honey pot instance, is likely to attempt 
to breach the honey pot server. To minimize the likelihood of such an occurrence we 
deny all network traffic to the honey pot server. 

Denying Traffic To The Honey Pot Support Network 

The systems in the honey pot support network (e.g. database, honey pot management 
server) are important components in the proper functioning of the AQS. An attacker that 
is trying to breach, or has breached, a honey pot instance, is likely to attempt to breach 
the system in the honey pot support network. To minimize the likelihood of such an 
occurrence we deny all network traffic to fi*om the honey pot systems to the honey pot 
support network, except for traffic destined for the Honey Pot Support Services 
subsystem. 

Connection Logging 

While a number of other subsystems are responsible for capturing network traffic and 
monitoring the initiation of new connections to and from honey pots systems they all 
depend on some daemon to be executing. By using the kernel's ability to log connection 
initiations to and from honey pots systems we have a back up in the event of failure by 
the other subsystem's daemons. 

5.1.2.2 Implementation Details 

The Linux kernel, via the netfilter project, includes packet-filtering capabilities. Thus, the 
low-level details of network access control are already taken care of. 

Denying Spoofed Traffic 
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We can drop spoofed packets originating from the honey pot systems by adding a rule to 
the filter table's FORWARD chain with a target of DROP for any packets coming in via 
any network interface, not including the one connected to the Internet, that have an IPv4 
source address that is not within the IPv4 address space assigned to the honey pot server. 

Denying Cross-Honey Pot Traffic 

We can drop all cross-honey pot traffic by adding a rule to the filter table's FORWARD 
chain with a target of DROP for any packets with both an IPv4 source address and a 
destination address within the IPv4 address space assigned to the honey pots. This will 
not deny legitimate traffic from the honey pot's to the locally hosted DHCP relay agent, 
and vice versa, since the fate of such packets is determined by the filter table's INPUT 
and 0C/7PC/r chains, and not by the FORWARD chains. 

Denying Traffic To The Honey Pot Server 

To deny traffic to the honey pot server, except that described bellow, we insert as the last 
rule in the filter table's INPUT chain a rule that matches all traffic and has a target of 
DENY. 

Permitting Traffic To The DHCP Support Service 

To relay DHCP traffic to the DHCP support service the honey pot server executed a 
DHCP relay agent. This service listens to UDP port 67. 

To allow DHCP requests from honey pot systems to the DHCP relay agent we insert a 
rule in the filter table's INPUT chain that matches the destination UDP port of 67, any 
interface, not including the one connected to the Internet, and a connection state of 
NEW^STABLISHED with a target of ACCEPT. 

To allow DHCP requests from the DHCP relay agent to the DHCP server we insert a rule 
in the filter table's INPUT chain that matches the destination UDP port of (57, the Internet 
connected interface, source IPv4 address that matches the IPv4 address of the system 
hosting the Honey Pot Support Services subsystem, and a connection state of 

ESTABLISHED with a target of ACCEPT 

Denying Traffic To The Honey Pot Support Network 

To deny traffic to the honey pot support network, except that described bellow, we insert 
as the last rule in the filter table's FORWARD chain a rule that matches a destination IPv4 
address within the honey pot support network address range, and a target of DENY. 

Permitting Traffic To The DNS Support Service 

To allow DNS queries from the honey pot systems to the caching DNS server we insert a 
rule in the filter table's FORWARD chain that matches the UDP destination port number 
of 53, any interface, not including the one connected to the Intemet, a destination IPv4 
address that matches the IPv4 address of the system hosting the Honey Pot Support 
Services subsystem and a connection state of NEW v^ith a target of ACCEPT 

To allow DNS responses from DNS servers in the Intemet to the caching DNS server we 
insert a rule in the filter table's INPUT chmn that matches the UDP source port number of 
53, the UDP destination port number of 53, the interface connected to the Intemet, and a 
connection state of ESTABLISHED with a target of ACCEPT 
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Record of New Connections 

We can log all connection initiations to and from the honey pot systems, and to and from 
the honey pot server, by adding rules to the mangle table's PREROUTING chain with a 
target of LOG that match the connection state of NEW for all interfaces in the system. 

5.1.3 Network Traffic Capture 

The Network Traffic Capture subsystem records all network traffic from/to a honey pot. 
The subsystem: 

• Records all network trafific from/to a honey pot instance. 

5.1.3.1 Reasoning 

Homegrown Network Traffic Capture Software 

There are a number of tools that allow us to capture network traffic (e.g. tcpdump or 
ethereal). Most of these tools are based in the pcap packet capture library and provide a 
rich language to determine what traffic to capture. Yet, all of them provide nothing more 
than a rudimentary method to store captured network traffic: a single capture file for all 
captured traffic. 

We wish to capture traffic to multiple honey pot instances. For convenience's sake we 
want captured network traffic to/from different honey pot instances to be stored in 
different files. We also want to be able to tell the network traffic capture software when 
to start and top capturing traffic for any particular honey pot instance. We do not wish to 
capture network traffic towards a honey pot system while an instance of it does not exist. 

Given our requirements and the limitations of the available tools we need to develop our 
own network traffic capture software that can be directed to start and stop capturing 
network traffic to and from specific IP addresses, and can store the captured network 
traffic in different files based on the matching IP address. 

Capture File Format 

The pcap dump file format is understood by a large number of third-party tools that we 
can use to analyze the network traffic. For this reason we store captured network traffic in 
file that use the pcap dump file format. 

Where to Capture Traffic 

Under Linux the network capture hook captures an outgoing packet right before it is 
placed on the wire, and captures an incoming packet right before it is handed to the 
network protocol stack. For packets that are being forwarded this means we have a choice 
of where to capture the packet. 

Because we are performing some packet filtering, a packet received in one interface for 
forwarding may not make it out the other interface. Additionally, packets may be directed 
to the honey pot server itself. Such packets can only be captured via the interface they 
arrived. 
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Since we want to capture as much data as possible about the network traffic sent by a 
honey pot system or to a honey pot system we capture network traffic as it is received or 
sent by the network interface connected to the honey pot system's network. 

Determining What Traffic To Capture 

We could use a honey pot system's private IPv4 address to capture traffic towards and 
from it, at the interface that connects to the honey pot network, but such an approach 
would fail to capture some network traffic. 

If malicious code in the honey pot instance sends spoofed IPv4 traffic the filter would fail 
to match it and capture it. Such filter would also fail to capture any broadcast IPv4 traffic 
and any non-IPv4 traffic, such as ARP or NetBEUI traffic. 

To solve this problem we could instead capture traffic that matches honey pot system's 
Ethernet address in the source or destination address of an Ethernet frame, but this option 
suffer fi"om the problem that Ethemet frames are easily spoofed as well. 

The solution is to capture all network traffic sent or received via the network interface 
associated with the honey pot system. 

PF_PACKET vs. pcap 

If we were to use the pcap library for capturing packets this would require the use of 
multiple pcap packet capture descriptors (pcapjt), since a pcap packet capture descriptor 
can only be associated with a single interface, but the pcap library has no function that 
can poll multiple packet capture descriptors at the same time. 

We would thus need to continuously loop reading from a non-blocking packet capture 
descriptor draining processor resources, or we would need to create one thread per packet 
capture descriptor. If we go with a threaded approach then we must determine how to 
handle the SIGHUP signal that we use to command the daemon to rescan the 
configuration directory, and how to interrupt the threads that are reading from the packet 
capture descriptor. 

Instead, we bypass the pcap library and create PF_PACKET sockets using an 
ETH_P_ALL protocol bound to the network interface associated with the honey pot 
system. This permits us to capture all traffic associated with the honey pot coming in via 
this interface regardless of Ethemet or IPv4 addresses, while at the same time we us the 
poll(2) system call to wait on multiple descriptors simultaneously with a single thread. 

5.1.3.2 Implementation Details 

A command, dionaea-start-netcap, commands the dionaea-netcapd daemon to start 
capturing network traffic to or from a honey pot system. It takes as an argument the 
honey pot system's id. The command: 

• Creates a zero length file in the directory /var/dionaea/netcap/control with a 
filename equal to the honey pot system's id. 

• Reading the dionaea-netcapd daemon process id number from the file 
/var/dionaea/netcap/pid. 

• Sending a SIGHUP signal to the daemon. 
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A daemon, dionaea-netcapd: 

• Writes its process id to the file /var/dionaea/netcap/pid. 

• Reads the directory /var/dionaea/netcap/control. 

• For each honey pot system id read from the directory 
/var/dionaea/netcap/control, it: 

o Looks up its associated network interface in the HoneyPotSystems table. 

o Opens for writing a network capture file in the pcap dump file format 
named /var/dionaea/netcap/partial/<f£r>, where <id> is the honey pot 
system's id, using the pcap library's pcapjdumpjopenQ function. 

o Creates a PF_PACKET socket with a protocol of ETH P^ALL. 

o Binds the socket to the network interface associated with the honey pot 
system. 

o Sets the socket to promiscuous mode. 

• Registers a SIGHUP signal handler that: 

o Reads the directory /var/dionaea/netcap/control. 

o Compares the list of honey pot system ids this time the directory is read to 
the list of honey pot system ids the last time the directory was read. 

o For each honey pot system id that are no longer listed in the directory 
/var/dionaea/netcap/control, it: 

■ Closes the PF PACKET socket bound to the network interface 
associated with the honey pot system's id. 

■ Closes the network traffic capture file 
/var/dionaea/netcap/partial/<i</>, using the pcap library 
pcap_dumpjolose() . 

■ Looks up the honey pot's instance number in the 
HoneyPotlnstances table. 

■ Moves the file /var/dionaea/netcap/partial/<i<f> to 
/var/dionaea/netcap/cap/<iV/>-<i«5rflfice>, where <instance> is 
the honey pot instance number. 

o For each new honey pot system id listed in the directory 
/var/dionaea/netcap/control, it: 

■ Looks up its associated network interface in the HoneyPotSystems 

table. 

■ Opens for writing a network capture file in the pcap dump file 
format named /var/dionaea/netcap/partial/<irf>, where <id> is 
the honey pot system's id, using the pcap library's 
pcapjdumpjopenQ function, 

■ Creates a PF_PACKET socket with a protocol of ETHJPjiLL. 
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Binds the socket to the network interface associated with the honey 
pot system. 

Sets the socket to promiscuous mode. 



• Enters into a loop that: 

o Polls all PFJPA CKET socket descriptors. 

o Captures network traffic from any descriptors with data. 

o Stores a captured packet in the appropiate pcap dump file using the pcap 
library's pcapjdumpQ function. 

A command, dionaea-stop-netcap, commands the dionaea-netcapd daemon to stop 
capturing network traffic to or from some honey pot instance. The command: 

• Deletes the zero length file in the directory /var/dionaea/netcap/control with a 
filename equal to the honey pot system's id. 

• Reads the dionaea-netcapd daemon process id number from the file 
/var/dionaea/netcap/pid. 

• Sends a SIGHUP signal to the daemon. 

5.1.4 Honey Pot Monitoring & l\Aanagement 

The Honey Pot Monitoring & Management subsystem activates and deactivates honey 
pots, and determines when a honey pot has been breached. 

The subsystem: 

• Reads the desired honey pot status from the database. 

• Stores the current honey pot status in the database. 

• Instantiates a honey pot system. 

• Instructs the Network Traffic Capture subsystem to start capturing network traffic 
to/from the honey pot instance. 

• Determines if a honey pot instance has been breached. 

• Determines whether a breached honey pot instance has reached a suspend 
condition. 

• Suspends the execution of a honey pot instance. 

• Instructs the Network Traffic Capture subsystem to stop capturing network traffic 
to/from the honey pot instance. 

• Passes the collected data to the Post-Intrusion Automated Analysis subsystem. 
5.1.4.1 Reasoning 

The life cycle of a honey pot system - instantiation, breach, suspension - must be 
automated. There is also a need for the analysts to manually bring up or down a honey 
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pot instance, and for them to query the status of the honey pots system, from the analyst 
web'based interface. The analyst web-based interface must be capable of managing 
multiple honey pot servers. 

Database 

By using the database a the communication medium between the Honey Pot Monitoring 
& Management subsystem, the analyst web-based interface, and other subsystems we 
simplify the interdependencies of the system and at the same time provide long-term 
storage of the system's configuration. 

Detecting a Breach 

Version 1.0 of ASQ does not include instrumentation and data capture at the honey pot 
itself The only data available to use to determine whether a honey pot instance has been 
breached is the network traffic to/from it. If the honey pot system's operating system and 
applications are configured so that they do not initiate network connections then any 
outgoing network connection from a honey pot instance is a good indication that the 
honey pot has been breached. 

When to Suspend a Honey Pot Instance 

We do not wish to suspend a honey pot instance that has been breached immediately. We 
want to provide sufficient time for the malicious code or attacker that breached the honey 
pot instance to reveal more about itself/himself For example, an attacker may download 
a rootkit from some external server. After we have provided the attacker sufficient time 
to reveal more about himself, then we suspend the honey pot. 

There are a number of ways to determine when to suspend the honey pot instance. We 
can provide the attacker with some maximum amoimt of time after which the honey pot 
instance is suspended. We can also track the number of outgoing network connections 
and suspend the honey pot instance after some number of them is reached. We combine 
these two methods so that the honey pot instance is suspended when either threshold is 
reached, and refine it by providing the attacker with a minimimi amount of time. 

5.1.4.2 Implementation Details 
Dionaea-hp-start 

The command, dionaea-hp-start, starts a honey pot instance. It takes as an argument the 
numeric id that identifies the honey pot system to instantiate. The command: 

• Inserts a record in the Honey Potlnstances table with a status of Starting. 

• Looks up the automatically assigned honey pot instance ID. 

• Inserts a record to the HoneyPotlnstanceEvents table to indicate the honey pot 
instance's status is now Starting, 

• Creates the directory <id> in the directory /var/dionaea/honeypots, where <id> 
is the numeric id that identifies the honey pot system in the database. 

• Executes dionaea-start-netcap. 

• Executes dionaea-hp-start-vmware. 
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• Sleeps for 5 minutes. 

• Updates the honey pot instance record in the HoneyPotlnstances table with a 
status of Executing. 

• Inserts a record to the HoneyPotlnstanceEvents table to indicate the honey pot 
instance's status is now Executing. 

Dionaea-hp-start-vmware 

The command, dionaea-hp-start-vmware, starts a honey pot instance's virtual host. It 
takes as an argument the numeric id that identifies the honey pot system whose virtual 
host to start. The command: 

• Creates the directory vmware in the directory /var/dionaea/honeypots/<irf>. 

• Determines the filename of the VMware archetype by looking it up in the 
VMwareHoneyPotArchetypes table. 

• Copies the VMware configuration file (cfg) from the directory 
/var/dionaea/archtypes/<irf>/vmware to the directory 
/var/dionaea/honeypots/<irf>/vmware. 

• Creates a symbolic link from the VMware virtual disk archetype files (vmdk) in 
the directory /var/dionaea/archtypes/<irfi>/vmware to the directory 
/var/dionaea/honeypots/<i</^/vmware. 

• Registers the honey pot's virtual machine with the VMware server by using the 
Perl VMware: :VmPerl:: Server: :register_vm() subroutine. 

• Determines the network interface connected to the honey pot by looking it up in 
the HoneyPotSystems table. 

• Configures the honey pot virtual machine to use the network interface assigned to 
the honey pot system, by using the Perl VMware: :VmPerl::VM:set_config() 
subroutine. Setting ethernetO.present to TRUE, ethernetOxonnectionType to 
custom^ and ethernetO.vnet to the interface name (e.g. /dev/vmnetO). 

• Determines the honey pot system's Ethemet address by looking it up in the 
VMwareHoneyPotSystems table. 

• Assigns the honey pot virtual machine a new Ethemet address, by using the Perl 
VMware: :VmPerl::VM::setjconfig() subroutine. Setting ethernetO.address to an 
Ethemet address of the form 00:50:56:XX: YY . ZZ . where )0( is a hex number 
between OOh and 3Fh, and IT and ZZ are hex numbers between OOh and FFh. 

• Starting the honey pot's virtual machine, by using the Perl 
VMware:: VmPerl:: VM::start() subroutine. 

Dionaea-hp-suspend 
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The command, dionaea-hp-suspend, suspends a honey pot instance. It takes as an 
argument the numeric id that identifies the honey pot system to suspend. The command: 

• Modifies the record of the honey pot instance in the HoneyPotlnstances table, 
setting the status to Stopping, 

• Inserts a record to the HoneyPotlnstanceEvents table to indicate the honey pot 
instance's status is now Stopping, 

• Executes dionaea-hp-suspend-vmware. 

• Executes dionaea-stop-netcap 

• Moves the honey pot instance's directory from /var/dionaea/honeypots/<irfi> to 
/var/dionaea/post/<iV/>-<i«sra/ic^>, where <instance> is the honey pot instance 
number as stored in the database. 

• Moves and renames the file /var/dionaea/netcap/cap/<irf>-<iiisto/ic^> to the file 
/var/dionaea/post/</rf>-<i>i5ra/ic^>/netcap. 

• Creates a tar archive of the /var/dionaea/post/<irf>-<i#i5ra#ice> directory named 
<id>'<instance>X2Lr, 

• Copies the <id>-<instance>X2iv to the host hosting the Post-Intrusion Automated 
Analysis subsystem under the directory /var/dionaea/post/incoming by 
executing the command scp. 

• Removed the directory /yar/dionaea/netcap/post/<i^<;i/i5^a#ic^> and the file 
<id>'<instance>.i2ir, 

• Modifies the record of the honey pot instance in the HoneyPotlnstances table, 
setting the instance number to the latest one and the status to Suspended. 

• Inserts a record to the HoneyPotlnstanceEvents table to indicate the honey pot 
instance's status is now Suspended, 

Dionaea-hp-suspend-vmware 

The command, dionaea-hp-suspend-vmware, suspends a honey pot instance's virtual 
host. It takes as an argument the numeric id that identifies the honey pot system whose 
virtual host to suspend. The command: 

• Suspends the honey pot's virtual machine via the Perl 

VMware:: VmPerl:: VM: :suspend() subroutine. 

• Unregisters the honey pot's virtual machine with the VMware server by using the 
Perl VMware: : VmPerl: .'Server: :unregister_ymQ subroutine. 

Dionaea-hp-halt 
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The command, dionaea-hp-halt, halts a honey pot instance and throws away any 
captured data. It takes as an argument the numeric id that identifies the honey pot system 
to hah. The command: 

• Modifies the record of the honey pot instance in the HoneyPotlnstances table, 
setting the instance number to the latest one and the status to Stopping, 

• Inserts a record to the HoneyPotlnstanceEvents table to indicate the honey pot 
instance's status is now Stopping. 

• Executes dionaea-hp-halt-vmware. 

• Executes dionaea-stop-netcap 

• Removes the honey pot instance's directory from /var/dionaea/honeypots/<irf>, 

and all its contents. 

• Removes the directory /var/dionaea/netcap/cap/<i</>-<i/i5^aiic^>, and all its 
contents. 

• Modifies the record of the honey pot instance in the HoneyPotlnstances table, 
setting the instance number to the latest one and the status to Halted. 

• Inserts a record to the HoneyPotlnstanceEvents table to indicate the honey pot 
instance's status is now Halted. 

Dionaea-hp-halt-vmware 

The command, dionaea-hp-halt-vmware, halts a honey pot instance's virtual host. It 
takes as an argument the numeric id that identifies the honey pot system whose virtual 
host to halt. The command: 

• Suspends the honey pot's virtual machine via the Perl 
VMware:: VmPerl:: VM::stop() subroutine. 

• Unregisters the honey pot's virtual machine with the VMware server by using the 
Perl VMware:: VmPerl:: Server ::unregister_vm() subroutine. 

Dionaea-managed 

A daemon, dionaea-managed, determines when to start or halt a honey pot instance. The 
daemon: 

• It loops forever, and: 

o Looks up the hostname of the system it runs in. 

o Determines whether there is any honey pot server for the system in the 
HoneyPotServers table, of type VMware, and its state. 

o If the state of the honey pot server is Disabled or Archived, then: 
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■ Looks up all honey pot system instances associated with the honey 
pot server with a status of Starting, Executing, Waiting, Contacted 
or Breached. 

■ For each such honey pot server instance it executes the conmiand 
dionaea-hp-halt. 

o Else, if the state of the honey pot server is Enabled, then: 

■ Looks up all honey pot systems associated with the honey pot 
server, tiieir state, and the state of their latest instance in the 
HoneyPotSystems and HoneyPotlntances table. 

■ For each such honey pot server: 

• If the honey pot system state is Enabled and the status of 
the last honey pot instance is one of Suspended, Halted, 
Analyzed or Reviewed, then it executes the command 
dionaea-hp-start to start a new honey pot system instance. 

• If the honey pot system state is Disabled or Archived and 
the status of the last honey pot instance is one of Executing, 
Waiting, Contacted or Breached, then it executes the 
command dionaea-hp-halt. 

o Sleeps for 10 seconds. 



Dionaea-monitord 

A daemon, dionaea-monitord, determines when a honey pot instance has been breached 
and when to suspend it and start the post-intrusion analysis. The daemon: 

• Inserts a rule in the mangle table's FORWARD chain that matches the interface 
facing the Internet as the outgoing interface and a state of NEW with a target of 



o Waits for the kemel to pass it a packet that matches the inserted rule, 
signaling the initiation of a connection from a honey pot instance, by using 
the libipq C hbrary or the perlipq Perl module, with a timeout of 5 
seconds. 

o Lookup via what interface the packet arrived from. 

o Determines what honey pot system the interface is associated with by 
looking it up in the HoneyPotSystems table. 

o Increases the count of connections seen from the honey pot system's 
instance. 

o Responds to the kemel with a verdict of NF ACCEPT for the packet, 
which will make the packet continue its route through the kemel 
connection tracking and packet filtering code. 



QUEUE. 
• Loops and: 
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o If this is the first connection: 

■ Records the time the connection was seen. 

■ Modifies the record of the honey pot instance in the 
HoneyPotlnstances table, setting the instance number to the latest 

one and the status to Breached, 

■ Inserts a record to the HoneyPotlnstanceEvents table to indicate 
the honey pot instance state is now Breached. 

o If, more than 5 minutes have elapsed since the first connection seen fi-om 
the honey pot instance and, at least 10 network connections have been 
seen from the honey pot instance or at least 10 minutes have elapsed since 
the first connection seen fi'om the honey pot instance, then: 

■ Suspends the honey pot instance by executing dionaea-hp- 
suspend. 

■ Zeros the connection counter for the honey pot system. 



5.1.5 Honey Pot Support Services 

While the honey pot server does not itself host the Honey Pot Support Services 
subsystem its assistance is required to make the DHCP support service accessible to 
honey pot systems. 

DHCP packets cannot be simply forwarded at the IP layer since some of them are 
broadcast. Instead the honey pot server must execute a DHCP relay agent. We make use 
of the ISC DHCP relay agent which listens to DHCP packets to UDP port 67 and relay 
them to the DHCP server in the system hosting the Honey Pot Support Services 
subsystem. 



The Network Address Translation (NAT) server hosts the NAT subsystem. The 
subsystem maps one or more public IP addresses to each honey pot system's private IP 
address. 

5.2.1 Network Address Translation 

The Network Address Translation (NAT) subsystem maps a number of routable IPv4 
addresses to the honey pot systems. It does this by mapping M-number of routable IPv4 
' addresses to each honey pot system, an M-to-N mapping. 

Each honey pot system is assigned a percentage, or weight, that represents the portion of 
the available routable IPv4 addresses that must be mapped to it. The subsystem 
dynamically assigns available routable IPv4 addresses to each honey pot system in 
correspondence to the percentage, or weight, assigned to each. 



5.2 NAT Server 
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When an incoming connection to a honey pot system is detected all IPv4 addresses 
mapped to the honey pot are unmapped from it and reassigned to other honey pot systems 
waiting for incoming connections. 

The network address translation subsystem must also support as many high-level 
protocols as possible. 

5.2.1.1 Reasoning 

The virtualization host hosts the Network Address Translation (NAT) subsystem. 
Network-based worms and opportunistic attackers commonly select a networked system 
to attack by either randomly generating a target IPv4 address or randomly selecting a 
network and scanning a target network. In both cases, the chances of any one system 
being selected as the target for an attack increases with the number of unique routable 
IPv4 addresses the system posses. 

Since the purpose of the AQS is the capture malicious code samples and attacks any 
factor that increases the likelihood of an AQS honey pot instance being targeted should 
be explored. In this case, it is very desirable for the AQS to have as large a network 
footprint as practically possible. 

Seeing as each routable IPv4 address must be mapped to some honey pot instance we 
could choose to map them one-to-one. That is, one routable IPv4 address to one honey 
pot instance and vice versa. The disadvantage of this choice is that honey pot instances 
are resource intensive, and we only have resources to create, execute, and maintain a 
limited number of them. 

A different choice is to map multiple routable IPv4 addresses to each honey pot instance, 
or an M-to-N map. This choice allows us to map as large an IPv4 address space as we 
wish to the limited number of honey pot instances we can support. This is the approach 
we use in AQS. 

One troublesome aspect of the M-to-N approach is the question of what IPv4 addresses to 
use as the source IPv4 address for packets originating in the honey pot instance from the 
many assigned to it. 

The issue can be easily resolves for packets that are part of a network "connection" that is 
initiated towards the honey pot instance. Since the connection is initiated towards the 
honey pot instance, the NAT system will use the destination IPv4 address of the packets 
that initiated the connection as the source IPv4 address for any packets that are part of the 
connection in the opposite direction. This is easily accomplished by maintaining state for 
TCP sessions and can be emulated to a reasonable degree for UDP and ICMP packets. 
Most NAT systems already support this "connection tracking" capability, including the 
Linux kemel, which we are making use of. 

Packets that are part of a network connection that is initiated by the honey pot instance 
pose a bigger challenge. The destination IPv4 address is the only information the packet 
itself provides to help us decide which source IPv4 address to use. Since the destination 
IPv4 address may be different from the source IPv4 address of any connections initiated 
towards the honey pot instance is proves unreliable as a method to decide on a source 
IPv4 address. 
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One solution to this problem is to limit the choice of source IPv4 address by immapping 
all but one IPv4 address fi-om the honey pot instance after a connection has been initiated 
towards it, leaving mapped only the destination IPv4 address of this connection. Since 
honey pot systems must be configured so that they do not initiate network activity when 
left in an idle state any outgoing network connections can only be the result of some 
incoming network connection, and by that time the source IPv4 address of outgoing 
packets has already been selected. 

This is the solution we use in AQS. When a honey pot system is instantiated one or more 
routable IPv4 addresses are mapped to the honey pot instance. When a connection is 
initiated towards the honey pot instance all routable IPv4 address except the one that is 
the destination EPv4 address of the connection are unmapped. When the honey pot is 
reinstantiated all routable rPv4 addresses are mapped once again. 

One disadvantage of this approach is that between the time a connection towards the 
honey pot is initiated and the honey pot is reinstantiated any connection attempts to the 
unmapped IPv4 addresses are simply ignored, thus reducing the network footprint of 
AQS and its effectiveness. 

To alleviate this we can increase the number of honey pot system, thus reducing the 
number of IPv4 addresses mapped to a single honey pot instance and contention for them. 
Another solution is the dynamically map the unmapped Pv4 addresses to some other 
honey pot instance. Thus, no IPv4 address is ever unmapped for more than a few seconds, 
unless all honey pots instances are in the state after a connection has been initiated 
towards them but have not yet been reinstantiated. We do the latter in AQS. 

This choice requires that routable IPv4 addresses not be mapped statically to honey pots. 

Instead we assign each honey pot instance some fraction of routable IPv4 addresses 
assigned to AQS and the system dynamically balances the IPv4 address assignments as 
the IPv4 addresses are unmapped and mapped again. 

In addition, if we assign the IPv4 addresses randomly this assures us that different honey 
pots systems are assigned the same IPv4 address at different times. This attribute is 
positive because many attackers scan the IPv4 address space sequentially or semi- 
sequentially. If routable IPv4 addresses were always mapped to the same private IPv4 
addresses, the honey pot system mapped to the first routable IPv4 address in the honey 
pot server IPv4 address range would be disproportionately attacked. 

Some network protocols do not work across a standard NAT device. These protocols 
usually encode the destination or source IPv4 address and/or TCP or UDP port numbers 
in the higher layers of the protocol. To get aroimd this issue, NAT modules for some of 
these protocols have been developed. Since we want our honey pots to be as accessible as 
possible to a would be attacker or worm our NAT subsystem must support as many of 
these protocols as possible. 

One known protocol that does not support NAT naturally and for which there is no 
current support in the Linux kernel, either in the standard kernel or in the form of a third- 
party module, is Microsoft's RPC protocol, which uses embedded source addresses. 
Microsoft DOOM uses Microsoft RPC. SMB (aka CIFS) and NetBIOS are known to 
work through a NAT device. 
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5.2.1.2 Implementation Details 
Basics 

The Linux kernel, via the netfilter project, includes NAT capabilities. As a result, the 
low-level details of NAT are already taken care of. The subsystem builds upon this base 
by managing the high-level mapping of routable IPv4 addresses to honey pot systems. 

Routable Address States 

Routable IPv4 addresses that are available to be mapped to a honey pot instance can be in 
one of three states: Unassigned, Assigned^ and Bound. 

Unassigned addresses are not mapped to any honey pot instance. They cannot be mapped 
to a honey pot instance until after a date and time recorded in the database. This is used to 
allow an address that goes from the Bound state to the Unassigned state to "cool off" 

When an Unassigned address becomes available it may be mapped to a honey pot, along 
with a number of other addresses, at which point its state becomes Assigned. 

When an Assigned address receives a packet it becomes Bound, while all other addresses 
mapped to the same honey pot instance become Unassigned and unmapped from the 
honey pot instance. 

When a honey pot is suspended, the Bound address mapped to it is unmapped, and its 
state becomes Unassigned. The date and time when it becomes available is set in the 
future to give the address some time to cool off. 

The state of routable addresses is maintained in the HoneyPotAddresses table. 
Executables 

A daemon, dionaea-mapd, maps a number of routable IPv4 addresses to honey pot 
instances. The daemon: 

• Creates an exclusive lock so that only one instance of it executes at any one time. 

• Loops and: 

o Looks up the status of all honey pot instances in the HoneyPotlnstances 
table. 

o If the state of any honey pot instance changed to Suspended, Halted, 



Analyzed or Reviewed from the Starting, Executing, Waiting, Contacted, 
Stopping, or Breached, then for each such honey pot instance: 

■ Looks up all the routable IPv4 addresses mapped to the honey pot 
instance in the HoneyPotAddresses and HoneyPotlnstances 
table. 

■ Removes all rules from the mangle table's PREROUTING chain 
that match as the IPv4 destination address one of the routable IPv4 
addresses mapped to the honey pot instance. 
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■ Removes all rules from the nat table's PREROUTING chain that 
match as the destination IPv4 address one of the routable IPv4 
addresses mapped to the honey pot instance. 

■ Looks up the private IPv4 addresses of the honey pot system in the 
HoneyPotSystems table. 

■ Removes all rules from the nat table's POSTROUTING chain that 
matches as the source IPv4 address the honey pot system's private 
IPv4 address. 

■ Sets the state of the any addresses mapped to the honey pot 
instance to Unassigned in the HoneyPotAddresses table. If the 
address had a state of Bound the time when it becomes available 
should be set to ten minutes in the future (cooling off period), so 
that if the attacker attempts to connect the honey pot again within 
ten minutes he won't attack a new instance of it, or an instance of 
another honey pot. 

■ Insert a record in the HoneyPotAddressEvents table to indicate 
the state of Unassigned for any addresses mapped to the honey pot 



o Looks up the status of all addresses in the HoneyPotAddresses table. 

o If there is a new honey pot instance with a state of Executing^ or if the 
status of any address changed to Unassigned from some other state: 

■ Removes all rules from the mangle table's PREROUTING chain 
that match as the incoming interface the interface connected to the 
Internet and a state ofNEWWxih a target of QUEUE. 

■ Computes the percentage of addresses that should be assigned to 
each honey pot instance in the Executng or Waiting state. 

■ For each address in the Assigned state, or in the Unassigned state 
whose availability date and time has passed: 

• Assigns, or reassign, it to a honey pot instance, selecting 
the instance by a random weighted selection in 
correspondence with the percentage of addresses that 
should be assigned to each honey pot instance, changing 
the state of the address in the HoneyPotAddresses table 
accordingly. 

• Insert a record in the HoneyPotAddressEvents table to 
indicate the status of Assigned. 

• Inserts a rule in the mangle table's PREROUTING chain 
that matches as the incoming interface the interface 
connected to the Internet, a state of NEW, and an IPv4 
destination address equal to the routable IPv4 address 



instance. 
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assigned to the honey pot instance, with a target of 

QUEUB, 



■ For new honey pot instance with a status o{ Executing: 

• Modifies the record of the honey pot instances in the 
HoneyPotlnstances table, setting the status to Waiting, 

• Inserts a record to the HoneyPotlnstanceEvents table to 
indicate the honey pot instance's status is now Waiting. 

o Sleep for 5 seconds. 

• Removes the exclusive execution lock. 
A daemon, dionaea-natd: 

• Waits for the kernel to pass it a packet that matches one of the rules in the mangle 
table's PREROUTING chain with a target of QUEUE, signaling the initiation of a 
connection towards the honey pot instance. 

• Looks up the honey pot instance associated with the IPv4 destination address of 
the packet in the HoneyPotAddresses and HoneyPotlnstances tables. 

• Looks up all the routable IPv4 addresses mapped to the honey pot instance in the 
HoneyPotAddresses table. 

• Removes all rules from the mangle table's PREROUTING chain that match as the 
IPv4 destination address one of the routable IPv4 addresses mapped to the honey 
pot instance. 

• For each routable IPv4 address mapped to the honey pot instance, except the one 
that is the destination of the packet received: 

o Sets their state to Unassigned in the HoneyPotAddresses table. 

o Inserts a record in the HoneyPotAddressEvents table to indicate the 
status of Unassigned, 

• Looks up the honey pot instance private IPv4 address in the HoneyPotSystems 
table. 

• Insert a new rule in the nat table's PREROUTING chain that matches as the 
incoming interface the interface connected to the Internet with a target of DNAT 
that maps the destination IPv4 address from the received packet to the honey pot 
instance's private IPv4 address. 

• Insert a new rule in the nat table's POSTROUTING chain that matches as the 
outgoing interface the interface connected to the Internet with a target of SNAT 
that maps the honey pot instance's private IPv4 address to the source IPv4 address 
from the received packet. 

• Sets the state of the destination IPv4 address from the received packet to Bound in 
the HoneyPotAddresses table. 
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• Inserts a record in the HoneyPotAddressEvents table to indicate the status of 
Bound. 

• Sets the status of the honey pot instance to Contacted in the HoneyPotlnstances 
table. 

• Inserts a record to the HoneyPotlnstancesEvents table to indicate the honey pot 
instance status is now Contacted. 

• Responds to the kernel with a verdict of NF ACCEPT for the packet, which will 
cause the packet continue its route through the kernel NAT, connection tracking 
and packet filtering code. 

The daemons can modify the kernel's nat table via the libiptc C library and the IPTables 
Perl module. 

The dionaea-natd daemon can monitors network traffic for the first packet to initiate a 
connection to a honey pot instance via the libipq C library and the perlipq Perl module. 

The following connection tracking/NAT modules must be configured in the Linux kernel: 
ftp^ eggdrop'Conntrak, irc-conntrack, pptp^ record-rpc^ snmp-nat^ talk-conntrack-nat^ and 
tftp, 

5.3 Honey Pot Support Services Server 

The honey pot support services server hosts the following subsystem: 

• Honey Pot Support Services, such as DHCP and DNS services, which assist in the 
correct functioning of the honey pots. 

5.3,1 Honey Pot Support Services 

The Honey Pot Support Services subsystem provides network services to the honey pot 
systems that are necessary for their proper functioning. 

The services include: 

• DHCP. 

• Recursive DNS. 

5.3.1.1 Reasoning 
DHCP Service 

We do not wish to need to manually configure each honey pot archetype. We want to be 
able to create a honey pot archetype and use it to instantiate as many honey pot systems 
of the type represented by the archetype as necessary. DHCP permits the honey pot 
instance to learn its IPv4 address, subnet mask, gateway address, and DNS server without 
them being hard-coded into the configuration stored in the archetype. 

Recursive DNS Service 
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The Domain Name System maps alphanumeric hostnames to IPv4 addresses. If some 
malicious code or attacker breaches a honey pot instance and attempts to make a network 
connection to some system using a hostname, the hostname needs to be mapped to an 
IPv4 address by a DNS server. Without one the netw^ork connection will fail, the attacker 
may detect something is wrong, and we will fail to find out why the malicious code or 
attacker wished to connect to the remote system. 

5.3.1.2 Implementation Details 

DHCP Service 

When it comes to DHCP under LinuxAJNIX the ISC DHCP server is the only game in 
town. We use ISC DHCP version 3.0 with the paranoia patch 
( http://www.episecxom/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch) , which 
adds support for changing the root directory of the server and executing the server as a 
non-root user and group. 

The DHCP sever executes with a different root directory, a non-root user id, and non-root 
group id. 

The DHCP server is configured to assign each honey pot system a static IPv4 address 
based on its Ethernet address. When a new honey pot system is added to the honey pot 
server it is assigned an Ethernet address, which is stored in the database. At the same 
time, the DHCP server's configuration file must be modified to add the new honey pot 
system's Ethernet address and its matching static private IPv4 address. 

The lease timeout is set to 86400 seconds (one day) to minimize the DHCP network 
traffic. 

Recursive DNS Service 

For the recursive DNS server we are using the dnscache tool from D.J. Bernstein's 
dbjdns software. The tool runs under its own user and group ids, and executed with a 
different root directory in its standard installation. 

The dnscache tool must be configured to only accept DNS queries fi-om the 192.68.0.0/16 
honey pot network by creating the empty file /etc/dnscache/root/ip/192,68. 



5.4 Honey Pot Management Server 

The honey pot management server hosts the following subsystems: 

• Post-Intrusion Automated Analysis, which analyzes a honey pot's state after an 
intrusion; analyzes the captured network traffic to detect attacks or probes, 
determine the operating system of the attacker, and decrypt some network traffic; 
requests probes of attacking system; and submits executable samples to DIS. 

• Web-based Interface. 
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5.4.1 Post-Intrusion Automated Analysis 

The Post-Intrusion Automated Analysis subsystem performs some automated analysis of 
the intrusion, feeds samples to DIS, and makes information available to the analysis via 
the database. 

The subsystem: 

• Determines whether any changes where made to the honey pot instance's file 
system, including detecting new files. 

• Attempts to determine the type of any new files discovered in the honey pot 
instance's file system. 

• Attempts to determine whether any new files found on the honey pot instance are 
an instance of some known malicious code by querying the Malware Oracle. 

• Analyzes the captured network traffic for probes and attacks (NIDS). 

• Performs passive network stack fingerprinting to determine the platform of the 
ff v4 addresses communicating with the honey pot instance. 

• Decrypts HTTP over SSL/TLS (HTTPS) network traffic. 

• Probes remote hosts. 

• Submits any new executable files to DIS. 

• Makes the breach information available to the analysts via the database. 
5.4.1.1 Reasoning 

Performing an analysis of a computer intrusion is a resource intensive task. By 
automating some of the most common analysis processes we alleviate the load on the 
analysts and allow them to concentrate in other parts of the analysis process. The 
automated analysis also permits an analysis make a quick determination whether the 
incidents is the result of some known malicious code or was conducted with a known 
attack, allowing them to concentrate in the more interesting braches. 

Detecting File System Clianges 

VMware under Linux supports the mounting of virtual disks. Since Linux supports a 
number of file systems this permits us to access a honey pot's file system, although 
through the lens of the POSIX API. This facility permits us to perform a basic file 
integrity analysis of the honey pot*s file system to detect some file changes, such a 
changes in content, deletion of files, and addition of files. Because some of the file 
attributes available in some non-native Linux file systems do not map well to the standard 
UNIX file system semantics, things such as NTFS ACLs and streams, as well as FAT 
attributes, cannot be analyzed easily. Nonetheless, the basic analysis is capable of 
detected most of the common changes to a file system during a breach. 

There are a number of tools readily available that perform file system integrity 
verification. They will serve us well in detecting changes to the virtual disks mounted as 
directories under Linux. In some future revision of AQS we may need to augment these 
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tools or write our own if we decide to attempt to capture some of the file system 
attributes that are not expressed via the common POSIX API. 

Detecting the Type of a File 

Guessing the file type of modified or created files in the breached honey pot instance's 
file system can help the analyst prioritize his analysis work by steering him to executable 
files that may contain malicious code, exploits, or other hacking tools. 

Detecting Known Malicious Code 

Detecting whether any of the modified or created files in the breached honey pot 
instance's file system are an instance of some known malicious code helps the analyst 
focus on his analysis in files of unknown contents or skip performing the analysis of 
some breaches altogether. 

Detecting Network Probes and Attacks 

Detecting known network probes and attacks can help the analysts determine whether the 
attack pattern resembles that of known malicious code or tools, and whether the attack 
was known or unknown, allowing them to best determine what to analyze. 

Detecting the Attacker's Platform 

Detecting the operating system of the source of any probes or attacks can help the 
analysts distinguish between common attack patterns (e.g. attacks associated with 
CodeRed being launched from a Windows host) and unusual ones (e.g. attacks associated 
with CodeRed being launched from a Solaris host), thus helping them decide what to 
analyze and what to ignore. 

Decrypting SSL/TLS Network Traffic 

Network encryption can hide the details of an attack in the analysis of captured network 
traffic. In particular, malicious code or attackers may use HTTP over SSL/TLS (HTTPS) 
to hide their attack fi"om network monitoring devices, such as intrusion detection systems. 
It would be usefiil to be capable to decrypt such traffic to make analysis easier. 

5.4.1.2 Implementation Details 

5.4.1.2.1 Detecting File System Changes 

The AIDE file system integrity verification tool ~ http://www.cs.tut.fi/-rammer/aide.html 
- allows its user to detect file system changes. We use it to detect file system changes in 
honey pot instances. 

When a new honey pot virtual disk archetype is created a corresponding AIDE 
configuration file and database must be created. These configuration file and database are 
used to detect any changes to the honey pot instance's file system. The archetype AIDE 
configuration file is stored under /var/dionaea/archetypes/<ar>/aide/aide.conf. The 
archetype AIDE database is stored under /var/dionaea/archetypes/<ar>/aide.db. 

The AIDE configuration file includes a file of file and directory to check for changes or to 
ignore. This list must be finely tuned when creating an archetype so that files that change 
during the normal executing of the system are not included. All selection lines must also 
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start the file to check or ignore with /var/dionaea/mount. This is the directory used to 
mount any file system for analysis. 

When we perform post-intrusion analysis on a honey pot instance we compare the 
archetype AIDE database to the post-intrusion file system by executing the aide 
command with arguments of -C,-config=/var/dionaea/archetypes/<ar>/aide/aide.conf, 
-B "database=/var/dionaea/archetypes/<ar>/aide/aide.db", and -r 
flle:/var/dionaea/post/<iif>-<;i/i5/aiic^>/analysis/aide«out. 

The output of AIDE can be machine parsable, although it was not specifically designed 
for this purpose. While the analyst can make use of the output as it is, we also parse the 
output to determine what files were modified or a new, to record these changes in the 
database. 

The output of AIDE is used to determine if any files have been modified or created in the 
breached honey pot instance. For the purpose of capturing sample we are only interested 
in modified files whose checksum has changed, or new files. 

Files that have been modified with a new checksum or have been created are copied to 
the /var/dionaea/post/<irf>-<//f5^awc^>/analysis/files/samples directory located with the 
rest of the breached honey pot instance's state. As they are copied the files are renamed 
so as to include their pathname within their filename. For instance, if the file 
WINNT/REGEDT.EXE has been modified or created it is copied under the filename 
WINNT=REGEDT.EXE. This insures that two files with the same filename but in 
different locations within the file system of the honey pot are assigned unique names 
when copied. 

Attributes of the new or modified file are stored in a file with the same name in the 
/var/dionaea/post/<i^<iifs^aifce>/analysis/fiIes/info directory. The attributes that are 
saved include: 

• The path name of the sample, including the drive letter for platforms with that 
concept. 

• The filename. 

• Its size. 

• Its timestamps. 

• Its MD5 and SHAl hash. 

• The platform the sample was captured on. 

The list of deleted, modified, or new files is stored in the database in records associated 
with this breach. 

The command dionaea-post-aide takes as arguments the honey pot system id and honey 
pot instance id, and: 

• Lookups up the honey pot system's archetype in the HoneyPotSystems, 
VMwareHoneyPotSystems, and VMwareHoneyPotArchetypes tables. 
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• Executes the aide command with arguments of -C, - 
config=/var/dionaea/archetypes/<ar>/aide/aide.conf, -B 
"database=/var/dionaea/archetypes/<ar>/aide/aide.db", and -r 
file:/var/dionaea/post/<i</>^<i/i5/a/ic^>/aiialysis/aide.out 

• Parses the /var/dionaea/post/tmp/<^'</>-<iii5/aifc^>/analysis/aide.out file in 
search of modified files with a new checksum or new files. 

• Inserts the data into the FileSystemChanges table. 



5.4.1.2.2 Detecting the Type of a File 

The Perl module File:: Type - http://www.perl.cora/language/ppt/src/file/file.slav.html — 
is capable of estimating a file type. The latest version of the standard file command can 
be found at ftp://ftp.gw.com/mirrors/pub/unix/file/ . While neither of these tools can 
detect all file types they provide some information for an analyst to prioritize their 
analysis. 

If any files in the honey pot instance's file system were modified or new ones created, 
then each one of them will be passed through one of these tools to estimate its file type. 
The estimated type of the modified or new files is stored in the database. 

The command dionaea-post-ftype takes as an argument a file to analyst and: 

• It estimates the file type by using the Perl module File:: Type or the file command. 

• Returns the file type. 

5.4.1.2.3 Detecting Known Malicious Code 

The Malware Oracle subsystem is used to determine whether any of the modified or new 
files in the breached honey pot instance's file system are an instance of some known 
malicious code. 

If any files in the honey pot instance's file system were modified or new ones creates, 
then each one of them is submitted to the Malware Oracle for analysis. The answer from 
the Malware Oracle is stored in the database. 

The interface to the Malware Oracle is specified in the DeepSight Malware Oracle 2.0 
Functional Requirements Document. 

5.4.1.2.4 Detecting Network Probes and Attacks 

The Snort IDS can examine network traffic and generate alerts if it detects probes or 
attacks. It also has the capability of examining captured network traffic stored in a file in 
the pcap dump file format. 

The probe and attack signatures used by Snort, or rules, as well as its configuration file, 
are stored in the /var/dionaea/conf/snort directory. Snort is configured to reassemble IP 
packets {frag2 preprocessor), TCP streams {stream4 & stream4_reassemble 
preprocessors), decode HTTP {http_decode preprocessor), RPC (rpcjdecode 
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preprocessor), and TELNET {telnet jlecode preprocessor) protocols, and detect port 
scans {portscan preprocessor). 

Snort is also configured to use the alert Jast output plug-in with an output filename of 
snorttxt, and the xml output plug-in with an output filename of snort.xml. These files 
are created in the /var/dionaea/post/tmp/<fif>-<iii5ra/tc^>/analysis directory. 

The dionaea-post-snort command takes an as arguments the honey pot system id and the 
honey pot instance id. It: 

• Executes the snort command with arguments of -NqUyz, -k all, -1 
/var/dionaea/post/tmp/<ii/>^<;/if5raiice>/analysis, -c 
/var/dionaea/conf/snort/snortconf, and -r /var/dionaea/post/tmp/<iif>- 
<in Stan ce>/n etc ap . 

• Parses the /var/dionaea/post/tmp/</rf>-<//isra/ic^>/analysis/snort.xml file and 
inserts the data into the NetworkEvents table. 

S,4,L2,S Detecting the Attacker^s Platform 

The passive OS fingerprinting tool {pOf) can examine network traffic and estimate the 
operating system executing in the remote hosts by matching the parameters of the packets 
they produce with known fingerprints for some platforms. It also has the capability of 
examining captured network traffic stored in a file in the pcap dump file format. 

POf takes an input a fingerprint information file that contains information of identifying 
operating systems based on their network traffic. This file is stored in 
/var/dionaea/conf/pOf-fingerprints. 

POf is executed to examine the captured network traffic to/from the honey pot instance. 
Since the NAT code could modify some of the network traffic we examine the network 
traffic captured before NAT is applied, which is stored in the file 
/var/dionaea/post/<iV/>-<i«s^a#ic^>/netcap. Its output is stored in 
/var/dionaea/post/<irf>-<i/israiice>/analysis/pOf.out. 

The command dionaea-post-pOf takes as arguments the honey pot system id and honey 
pot instance id, and: 

• Executes the pOf command with arguments of -t, -q, -f /var/dionaea/conf/pOf- 
fingerprints, -s /var/dionaea/post/tmp/<irf>-<i/is^a/ic^>/netcap, -o 
/var/dionaea/post/tmp/<ii/>-<i#f5raiic^>/analysis/p0f.out. 

• Parses the file /var/dionaea/post/tmp/<irf>-<iiis^a#ic^>/analysis/pOf.out and 
inserts the data in the RemoteSystems table. This not only determines the remote 
system platform, but also builds the list of remote systems. 

5.4.1.2.6 Decrypting SSL/TLS Network Traffic 

The ssldump tools is a SSL/TLS traffic analyzer that is capable of decrypting any data 
transmitted through SSL/TLS if provides with the private RSA key of the SSL/TLS 



server. 
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Since ssldump requires the private RSA key of the SSL/TLS server we generate one key 
pair that we configure as the server's key in any honey pot system configured to run an 
HTTP server. The private key is stored in /var/dionaea/conf/ssldump/key.pem. The 
public key certificate is stored in /var/dionaea/conf/ssldump/certpem. 

To generate the key and a self-signed X,509 certificate we use the openssl command as 
follow: 

openssl req -new -x509 -days 999 -nodes -out cert. pern \ 



5.4.1.2. 7 Probing Remote Hosts 

The Inquisitor system provides a service through which remote hosts can be probed to 
actively determine their operating system and the status of their TCP and UDP port 
number, as well as some other information. 

The command dionaea-post-probe takes as an argument the remote system id probe. It: 

• Looks up the remote system's IPv4 address in the RemoteSystems table. 

• Contacts the Inquisitor server. 

• Commands it to probe the IPv4 address. 

• Reads the request id returned by the Inquisitor server. 

• Creates a file named as request id returned by the Inquisitor server whose contents 
are the remote system's id in the directory /var/dionaea/inquisitor/outstanding. 

A daemon, dionaea-post-probed, pools the Inquisitor server to collect the probe results. 
It: 

• Writes its process id to the file /var/dionaea/inquisitor/pid. 

• Loops and: 

o Reads the directory /var/dionaea/inquisitor/outstanding. 

o For each file it: 

■ Probes the Inquisitor server to determine whether the probing has 
completed. 

■ If it has: 



-keyout key. pern 



• Reads the probe result. 

• Read the file's content, which has the remote system id. 



• Parses the XML result. 



• Inserts the result into the RemoteSystems and 
RemoteSystemPorts tables. 



• Remote the file fi-om the directory 
/var/dionaea/inquisitor/outstanding. 
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5.4.1.2.8 Submitting Samples to DIS 

Any modified or new executable files found on the honey pot instance's file system are 
submitted to DIS for analysis. The protocol to communicate with DIS is documented in 
Immune System network protocol, twelfth draft, 

A daemon, dionaea-disd, monitors the directory that contains the new or modified files 
found in the honey pot instances for changes and submits any files added to it to a DIS 
gateway over the HTTP protocol via a POST command to the /A VIS/postSuspectSample 
URL At the same time the file sample's attributes are transmitted via HTTP headers. (See 
Immune System network protocol twelfth drafts Section 10.4.) It then moves the 
submitted file to a pending directory. 

The daemon does not need to send a X-Sample-Category, X-Customer-Credential^ or X- 
Platform-Correlator HTTP headers. They are not currently in use by DIS. 

The daemon uses a value of 900 in the X-Sample-Priority HTTP header when submitting 
a sample. 

The daemon uses the value unknown in the X-Sample-Reason HTTP header when 
submitting a sample. 

Another daemon periodically polls the DIS gateway to determine the status of file 
samples submitted earlier that have not reached a terminal state. It does this by issuing an 
HTTP HEAD command for the /AVIS/getSampleStatus partial URI to the DIS gateway. 
(See Immune System network protocol, twelfth draft. Section 10.7.) One the gateway 
returns a status for the submitted sample the status is stored in the database. It also moves 
the file fi-om the pending directory to a done directory. The subsystem stops querying the 
status of a submitted sample once its status is a terminal state. The X-Date-Analyzed 
header in a response indicates a terminal state. (See Immune System network protocol, 
twelfth draft. Section 8.2.) 

Also stored in the database is a human friendly status message. This message is mapped 
from the returned status to a standard message for most statuses, mapped to the contents 
of the returned X-Attention header for a status of attention, and mapped to the contents of 
the returned X-Error header for a status of error, which in turn is mapped to a human 
fiiendly error message stored in the database (See Immune System network protocol, 
twelfth draft. Section 8.5.) 

5.4.1.2.9 Putting It All Together 

A daemon, dionaea-post-analysisd, drives the post-intrusion analysis of the breached 
honey pot instance. The daemon: 

• Loops and: 

o List the file in the directory /var/dionaea/post/incoming. 
o If it finds any files in the directory: 
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■ For any files of the form <id>'<instance>A2LY that it finds, it: 

• Extracts the archive to the directory 
/var/dionaea/post/tmp/<irf>-<i/isra/ic^>. 

• Executes dionaea-post-analysis with the directory as an 
argument. 

• Moves the directory /var/dionaea/post/tmp/<irf>- 
<instance> to /var/dionaea/post/done/<iV/>-<i>fsto/ic^>. 

• Modifies the record of the honey pot instances in the 
HoneyPotlnstances table, setting the status to Analyzed. 

• Inserts a record to the HoneyPotlnstanceEvents table to 
indicate the honey pot instance state is now Analyzed, 

o Else, it sleeps for 30 seconds. 

A command, dionaea-post-analysis, does the post-intrusion analysis of the breached 
honey pot instance. The command: 

• Executes the dionaea-post-pOf command with arguments of the honey pot system 
id and the honey pot instance id. 

• Executes the dionaea-post-snort command with arguments of the honey pot 
system id and the honey pot instance id. 

• Executes the ssldump command with arguments of -dnN, -r 
/var/dionaea/post/tmp/<i<f>-<i/isra«ce>/netcap, and -k 
/var/dionaea/conf/sslduinp/cert.pem, while redirecting its output to the file 
/var/dionaea/post/tmp/<i'i/>^<in5to/ice>/analysis/ssldump.out. 

• Mounts the honey pot instance's virtual disk in the directory /var/dionaea/mount 
in read-only mode by using the vmware-mouiitpl command. 

• Executes the dionaea-post-aide command with arguments of the honey pot 
system id and the honey pot instance id. 

• If any modified files with new checksums or new files are foxmd: 

o It copies the file to the /var/dionaea/post/tmp/<iif>^ 
<i/f5ra/fc^>/analysis/files/samples directory while at the same time 
renaming it so that its pathname is encoded in the new filename (e.g. 
WINNT/REGEDT.EXE becomes WINNT=REGEDT.EXE). 

o It estimates the file type by using dionaea-post-ftype command and 
updates the record in the FileSystemChanges table. 

o It writes to a file with the same name but in the directory 
/var/dionaea/post/tmp/<iW>^<fii5tonc^>/analysis/files/info the following 
attributes of the copied file: 
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■ The path name of the sample, including the drive letter for 
platforms with that concept. 

■ The filename. 

■ Its size. 

■ Its timestamps. 

■ Its MD5 and SHAl hash. 

■ The platform the sample was captured on. 

■ The estimated file type. 

• Umounts the honey pot instance's virtual disk mount at /var/dionaea/mount/. 

• For each remote system in the RemoteSystems table associated with this instance 
it: 

o Executes dionaea-probe with the remote system id. 

• Submits any modified or new files to the Malware Oracle. 

• Submits any modified or new executable files to DIS. 

5.4.2 Web-Interface 

The web interface provides a mechanism for operators to interact with the AQS. 
5.4.2.1 Home Page 

This is the home page of the AQS web interface. The example below shows the page 
displayed to an operator with roles of administrator, dispatcher, and analyst. The rows 
Configurable Objects, and Events are only displayed to administrators. The Work Queue 
link is only displayed to analysts. The Work Queue Management link is only displayed to 
dispatchers. 



Honey Pots 






Coitfi^ui^le Objects 


f Operators 1 f Networks 1 f 3eiv$i3 1 f Systems 1 f VMwaie Atchetvpes 1 




Djittamic Objects 


f Ad'iiesses 1 f Instances 1 




Work 


f Work Queue 1 f Work Queue Management 1 




Extents 


r ConfiKuntion Events 1 f Instance Events 1 




Tools 


r Submit to Maiurare Oracle 1 




.\ccotint Management 


r Chmge Pas sword 1 
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5.4.2.2 Honey Pots : Operators 

This page displays a list of operator accounts configured in the system and permits and 
administrator to create new accounts, edit existing accounts, change passwords, and 
display configuration events associated with an operator object. 



Honey Pots : Operators 



r Nev/ Operator 1 \ Show Archived 1 f Operator Events 1 


Usemajtie 


Name 


State 


Admin Dispatcher 


Analyst 1 


alcphl 


Elias Levy 




Yes No . 


Ye s ' .pChange, Pas s wordier EyentsW TEckt']! 







cdavLson 
mario 



Craig Davison 
Mahb ' < 



Dis&bled 
>> fEnal3led > : 



No 



Yes 



Yes 

No:, 



f Change Password! [ Events ] [Edit ] 
I < r Chetnge Passvyoi:dl i[^ Ever^ Vr Sdit ^li: 



5.4.2.3 Honey Pots : Operators : New 

This page permits an administrator create a new operator account. 



Honey Pots : Operators ; New 



Usemame 

Name 

Roles 
Comment 



r Admin V~ Dispatcher V Analyst 



5.4.2.4 Honey Pots : Operators : Events 

This page displays a list of all events affecting operator objects. 
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Honev Pots : 


Operators 


: Evoits 
















1 Timestaitq) 


Action 


Opei'ator 


By 


Comments ^ 


2002.12.2516:32:09 


Edited'/ 


' ' Craig D^avisdhXcdavi'soh) - 


'^'^ Craig Davison (cdawon) 


:;Plis^swofdcKa^^ . \. , 


2002-12-25 14:13:24 


Edited 


Mano (mario) 


EHasLevy(alephl) 


A dde d disp atcher role . 


^2^12-23 12 J4:41 


Enabled 
Created 


. .Craig Davison (cdavis on) 
Craig Davison(cdavi$on) 


' Mario (rnario) 
Mario (mario) 


/ Tvuningit cm./^^^ ^ . 
Nevfr account for Craig. 



5.4.2.5 Honey Pots : Operators : Change State : <Operator> 

This page permits an administrator change the state of an operator object. 



HoneY Pots ; Operators ; Change State ; Cm^ Davison (edawoti) 

Enabled 



Ciinei-il 
State 

Hew 
State 

Conuuent 



Disabled ^1 



5.4.2.6 Honey Pots : Operators : Change Password : <Operator> 

This page permits an administrator change an operator's password. 



Honey Pots ; Operators : Change Password ; Cm^ Damon (cdavisou) 



New Passwoiid 




New PasswDiid 


1 


(a^ain) 






Change Password j 



5.4.2.7 Honey Pots : Operators : Events : <Operator> 

This page peimits an administrator view the events affecting a specific operator object. 
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Honev Pots : Operators 


: Events : 


Cm(p Davison (eiavison^ 










1 Times tajTip 


Action 


By 


Comments 1 


2002112-25 r6:32.*09^ ^ ^ ^ 




Craig Davison (cdavis on) ^ • , 


j^Passwofd^cnanged. - . ^ 


2002-12-25 14:13:24 


Edited 


EUas Levy (alephl) 


Added dispatcher role. 


|206242-23il2;34!41 ^ ' ^* 
2002.l2l23i0fll3l- 


Enabled/ - 
Created 


Meho(marLo) 


. Hew accoiMt fcMr Craig. 



5.4.2.8 Honey Pots : Operators : Edit : <Operator> 

This page permits an administrator edit an operator object. 



Honey Pots ; Operators ; Edit ; Ctttig Damon (edavison) 



UseiTiame 

Name 

Roles 
Comment 



cdavison 



jCraig Davison 

r* Adndn P Dispatcher W Analyst 



5.4.2.9 Honey Pots : Networks 

This page displays a list of honey pot networks configured in the system and permits and 
administrator to configure a new network, edit existing networks, show the state of their 
associated addresses, and display configuration events associated with a network object. 



Honey Pots : Networks 




f !■] exv Netv^'ork 1 [ 3hov/ Arciiiveci ] \ Ail Addresses 1 


|Fii^t 


Last 


State 1 



198.127.4.0 
24.131J.16 

156.24,174.32 



198.127.4.255 
24.131.2.54 

15$;.|4:174.i» 



Enabled 
Disabled 

: ; JEnablied r 



[ Addresses l f Events ] [ Edit ] 
[Addresses] [Events] \ Edit 1 
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5.4.2.10 Honey Pots : Networks : New 

This page permits the administrator create a new network object. 



Honey Pots : Networks : New 



Fu'st 


1 


Addles s 




Last 




Addness 




Comment 






AddiNetwrk j 



5.4.2.11 Honey Pots : Networks : Change State : <Network> 

This page permits the administrator modify the state of a network object. 

Honey Pots ; Networks : Change State ; 198.127.4.0-198.127.4.255 



Cuiient 
Stale 


Enabled 


New 


[Disabled ^ 


State 




Coimuent 





Change State 



5.4.2.12 Honey Pots : Networks : Addresses : <Network> 

This page permits the administrator determine the status of IPv4 addresses within the 
network. 



Honey Pots 


: Networks : Addresses : 198.127.40-198.127.4255 






fAddiYSS 


State System 






,198.127.4.0 


JJnassigneilXAvwiable) ^ ^ - ^.^^ . ' !f '-^'.^^ 






t98.127.4.i 


Assigned WinNT 4 0 Honey Pot 






198 127.4.2 , — ' 


Bound,/. " s . / ,<j;;5g«e'dH"^^l0,HoncyjPot;^ 






198.127.43 


Unas signe d (C o oling Of!^ 
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5.4.2.13 Honey Pots : Networks : Events : <Network> 

This page permits the administrator view configuration events associated with a network 

object. 



HoncY Pots ; Networks ! Events ! 193.127.4.0-193,127.4.255 



Times lamp 



2002-12-25 \6'3Xm 
2002-12-25 14:13:24 
^2002.12-23?12:54:41 
2002-12-23 10:01:31 



Opei-alor 



Disabled EHasLevy 
Edited Elias Levy- 
Enabled Craig Davidson 
Cre ated Craig D avidson 



Disabled for maintenance. 
EjqDandedIP address space to .255. 
Enabled the network ^ start; sample capture; 
Hew IP address space from UUNet. 



5.4.2.14 Honey Pots : Networks : Edit : <Network> 

This page permits the administrator to edit a network object. 



Honey Pots ! NetwoAs : Edit ; 198.127.4.0-198.127.4.255 



Fii^t 


|198.127A0 


Addiiess 




Last 


|l 98.1 27.4.255 


Addles s 




Comment 





5.4.2.15 Honey Pots : Servers 

This page displays a list of honey pot servers objects configured in the system and 
permits the administrator to create new honey pot server objects, edit them, display their 
honey pot systems, or view the events associated with them. 
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Honey Pots : 


Servers 












r U ew Seiver 1 f Show Aichived ] 


iName 


Tjpe 


State Hostname 




Calgary i 


VMware 


- Enabled- dionaeal.securityfbcus.com: 


FAddresses 1 f Systems^! f Events UEditf 


Calgaiy2 


VMware 


Disabled dtonaea2.securitvfocus.com 


FAddrcsses 1 f Systems 1 f Events 1 f Edit 1 


Santa I^ofiica 1 


VMwaie; 


.J^'Em^led^^\r#j<ionaei3fsecuritvfoc - ^ 


> TAddiesses 1 r<Svstems:ir^Everits n fEdiltl' 



5.4.2.16 Honey Pots : Servers : New 

This page permits the administrator create a new honey pot server object. 

Honey Pots : Servers : New 



Name 




Hostname 




Tjpe 


VMware ^ 


Comment 





5.4.2.17 Honey Pots : Servers : Change State : <Server> 

This page permits the administrator to change the state of a honey pot server object. 

Honey Pots ; Servers ; Change State : Calgoiyl 



Cutrent 
State 


Enabled 


Mew 
State 


1 Disabled zl 


Comment 






Change State | 
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5.4.2.18 Honey Pots : Servers : Addresses : <Server> 

This page permits the administrator view the IPv4 addresses assigned or bound to a 
honey pot server object. 



Honey Pots : Servers 


: Addresses : Caisarv 1 






1 Addiiess 


State 


System 


1 


198.127.4b 


Assigned 


/^■VlS^Ho Honey Pot . 




24131*2.32 


Assigned 


WinNT 4.0 Honey Pol 




24.131.2.33 


Bound 







5.4.2.19 Honey Pots : Servers : Systems : <Server> 

This page permits the administrator view the honey pot systems associated with a honey 
pot server object, to create a new honey pot server object, edit an existing one, or view 
the configuration events associated with one. 



Honey Pots : Servers : Syst«ns ; Calgary 1 



[ U ew Sy stem ] \ Show Archive d ] 



Weight biteiface Pi-hate 
Addness 



AirhetA-pe 



Ethentet 
Addi^ess 



O:50-J6fl0:00:02 f Instances 1 r Evehts 1 rEdii I 
vmware2 1981692^5-^ ^Windows 2000 SP3 I J"^ Mi5Q:^misdfli^ rjij^^ 



\^uidows1 
4.0 



Windows 2000 Disabled 25 * vinwarel 198.169:15 Windows 2000^efault ^^-00:50:56 J0:00:02 | ingtaaces IT Evehts 1 rEdii T 

Install 

Windows 2000 F^^abled 35 
SP3_ 

RcdHat7.o" Enabled 30 vmwarcS 198.169.3J RedHat 7.0 Default Install 00:50J6fl0iJ0:04 f Instances 1 f Events 1 f EcUt 1 



5.4.2.20 Honey Pots : Servers : Events : <Server> 

This page permits the administrator view configuration events associates with a honey 
pot server object. 
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Honev Pots : Servers 


: Events 


: Canary 1 




■ Times tamp 


Action 


Opei-ator 


Comments | 


2002-12-25 16-32il9 


Enabled 


EHas Levy 


Maihieiiance con^leted; ' . v - ■ ^ : ; 


2002-12-25 14:13:24 


Disabled 


Elias Levy 


Disabled the server for maintenance. 


2002.12.23 12:54:41 


Enftbled 


Craig Davidson 


Enabledthe server ^ stcul saj^ i. ! 


2002-12-2310:01:31 


Created 


Craig Davidson 


Added new calgary honey pot server. 



5.4,2.21 Honey Pots : Servers : Edit : <Server> 

This page permits the administrator edit a honey pot server object. 



Honey Pots ! Severs : Edit ; Catgmyl 



Name 

Hostname 

Tjpe 

Comment 



Calgary 1 



dionaeal .securi^ocus.com 



VMware rl 



5.4.2.22 Honey Pots : Systems 

This page permits the administrator view all honey pot system objects, create new ones, 
edit existing ones, view the instance objects associated with one, or the events associated 
with one. 



Honey Pots : Systems 



[ New System 1 r Shoiy Archived 1 



State Sen-er Weight Inteiface Pmate 

Addi-ess 



Airhet^-pe 



Ethernet 
Addi^ss 



WindowMT' gi^abletf CalgSy*f> fO 
4.0 

V^dows DisabUd Calgary 1 25 
2000 

Windows: Enabled Calgary 2 . 35 

■2000-^:'-; ■ 

RedHat7.0 Enabled Santa 30 
Monica 1 



^vmwareO* 198.169;0.2^ Win^dows NT 4ro . 00i50t56^5:to.0irflristan^ 

^ Defai^IiistallJ: [ 7 '\ ' ^ . ^ 

vmwarel 198.169.15 Windows2000 00:50:56fl0:00i)2 [ Instances 1 [ Events IT Edit T 
Default Install 

ymware2 193.1^^^^^ Windows 20pg^SP3 00:5p:56i30m'03 f Instances 1 ^ Events 1 TEcUt-l! 

Default IiistaE ■■ 
vmware3 198.169.3.2 RedHat 7.0 Default 00:50:56 fl0.-00:04 r iristances l T Events If Edit] 

Install 
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5.4.2.23 Honey Pots : Systems : New 

This page permits the administrator create a new honey pot system object. 



Honey Pots ; Systems ; New 



Name 


1 


Weight 


1 


Interface 


1 


Pmrate 


1 


Addres 




Seiver 


1 Calgary 1 H 


Airhet}pe 


1 Windows NT 4,0 Default Install jrj 


Ethemet 


[00:50:56: 


Address 




CoiTLmetit 





Add System 



5.4.2.24 Honey Pots : Systems : Change State 

This page permits the administrator change the state of a honey pot system object. 

Honey Pots : Systems : Change State ; Windows NT 4.0 /Caboivl 



Cuiient 


Enabled 


State 




New 
State 


[Disabled H 


Coiwuent 






^ Change State . ;| 



5.4.2.25 Honey Pots : Systems : Instances : <System> 

This page permits the administrator view the honey pot instances associated with a honey 
pot system. 
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Honev Pots : Svstans : Instances : 


WmiowsTiT4.0/aagiuyl 




lid Staiied 


Status 


1 


12517 2002-12-20 M:55J2 UTC"^ 


Waiting - 




51611 2002-12-20 14fll:3lUTC 


Suspended 


[Deles') [Events! 


86571 2002-12-20 13 24 54 UTC 


Analyzed 


r Details 1 r-E vents li 


36161 2002-12-20 12:14:31 UTC 


Analyzed 


FDeiailsl r Events! 



SA.2.26 Honey Pots : Systems : Events : <System> 

This page permits the administrator view the configuration events associated with a 
honey pot system. 

HoneY Pots : Systems ; Evcmts ; Wbtdaws NT 4.0 / Catgiuy 1 



1 Time stamp 


Action 


Opei-ator 


Comments 




2002.12^25|16:32:09i, 
2002-12-25 14:13:24 
2002-12-23 12 54 41 
2002-12-2310:01:31 




^'mia^eev^^^'' 






Disabled 
Enabled 
Created 


Eiias Levy 
" Craig Davidson j^' 
Craig Davidson 


Disabled the system for maintenance. 

A dde d new Windows NT 4.0 system to the C algary 1 server. 





5.4.2.27 Honey Pots : Systems : Edit : <System> 

This page permits the administrator edit a honey pot system object. 
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Honey Pots : Systems : Edit ; WbOims NT 4.0 / Catgoiy 1 



Name 


VVindows NT 4.0 


Wei-ht 


{10 


Inteiface 


ymwareO 




|1 98.1 69.0.2 


Addles 




Sener 


Calaarv 1 '^l 


Airhetj-pe 


Windows NT 4.0 Default Install >| 


Ethemet 


|00:50:56:00:00:01 


Address 




Coituneitt 





5.4.2.28 Honey Pots : VMware Archetypes 

This page permits the administrator view all VMware archetype objects, create new ones, 
or edit existing ones. 



Honey Pots : VMware Archetypes 






[New Archetype ] 


Name Filename Deselection 



Windows 2000 Default Install win2k Default installation of Windows 2000 with no hotfixes or service packs. [ Edit 1 

Windows 2000 SP3 Default Install win2ksiD3 Default installation of Windows 2000 with Service Pack 3. ^ ^ ' ,Z' 'I^E^t 
RedHat 7.0 Default Insun ^ Default installation of RedHot Linux 7 D. f Edit ] 



5.4.2.29 Honey Pots : VMware Archetypes : New 

This page permits the administrator create a new VMware archetype object. 
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Honey Pots ; VMware Archetypes ; New 



Name 




Filename 




Desci-qjtioii 




Comment 





5.4.2.30 Honey Pots : VMware Archetypes : Edit : <Archetypes> 

This page permits the administrator edit a VMware archetype object. 

Honey Pots : VMware Archetypes ; Edit : U^afvs NT 4.0 Default Install 



Name 


fvVindows NT 4.0 Default Install 


Filename 


winnt^ 


Desciiption 


Default installation of tfindous NT 4.0 




with no hotf ixes or 




service packs. 


Comment 





; Edit Archetype . ^ 



5.4.2.31 Honey Pots : Addresses 

This page permits the user view the state of all honey pot IPv4 addresses and what 
systems they are assigned or bound to. 
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Honey Pots 


: Addresses 




lAddiiess 


State 


System 1 


198.127.4i) 


Unassigaed (Available) 




24.131.2.32 


Assigned 


WinNT 4X) Honey Pol 


?4.131.233 


Bound 


RedHat7,OHone5?Rot ^ 


15624,17432 


Unassigned (Cooling OfS) 





5.4.2.32 Honey Pots : Instances 

This page permits the user view all honey pot instances, the a honey pot instance's 
details, or view the events associated with one. 



Honey Pots : Instances 






f Instance Events 1 


lid Stalled 


Status 


System 


Server 


Re\fie\ver 1 


51231 2002-12-20 14J5:12UTC 


Waiting: 


Windows NT 4.0 Default Install 


Calgary 1 - 


f D etails l^f Events V 


51251 200242-20 14^)1:31 UTC 


Suspende d Windows 2000 SF3 D efault Install 


Calgary 1 


[Details l^r Events 1' 


51251 2002-12-20 l3:k:54UTC 


Breached 


RedHat 7 JO Default InstaU 


y- Santa Mpraca:!- 


. ...:/j'betalji?^lilhll| 


51251 2002-12-20 12:14:31 UTC 


Analyzed 


Windows 2000 Default Install 


Calgary 2 


Jason Miller f Details I f Events ] 


51251 2002-12-20;12:14^14UTC 


Starting : 


Windows ^ SP3 Default Install 


Santa Moruca'!:'; 


' . " , I'D etaiis l,r Eventsill 



5.4.2.33 Honey Pots : Instances : Events 

This page permits the user view all honey pot instance events. 



Honev Pots : Instances 


: Events 






■Time stamp 




Event 


Instance 1 


;20(ny 2.20^5:24:541^ ^■ 








2002-12-20 13:24:56 UTC 




Waiting 


63234 


2002-12.20 13:42:22 UTC 




Contacted 




2002-12-20 13:42:41 UTC 




Breached 


61654 


2002-12.20 13:43:12 UTC 




Suspended 




2002-12-20 13:44:21 UTC 




Analyzed 


16716 
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5.4.2.34 Honey Pots : Instances : <Instance> 

This page permits the user view a honey pot instance's detailed information, download 
the instance's data, and post a comment about the instance. 
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Honqr Pots ; Instances ; 61856 



f Downlo&d Instance 1 r Post Comment 1 [CloscReview] 



12002-12-20 13:2454 UTC 
I Analyzed 



Hostname (Revei^e Lookup) 



RgmoU Systsmr 

206.1^.54.76 ftp.wftftuLcn 



Opei'aliiig System (Passwe) 



Windovir8 2000(4) 
Linux 2i)34-38 



Opei-attn^ System (Acthfe) 



Windows 2000 server SP2^ 



Linux 2.0J4-38 



Port Numhei's 



;TCP:22.25.80 . 
' UDPf-iO, 6531 0^40035) 

TCP: 21 

UDP: 



1 Times tamp 


Event 


Sir Addi«ss 


Dst Addj-ess 


Sit Per 


t Dst Pom 


20024 2-20 13:4233 UTC 


BACKDOOR CODERED II root.exe backdoor access attempt 


175.15.56 61 


206.156.61.6 


3461 


80 


2002-12-20 13:42:25 UTC 


BACKDOOR CODERED II root.exe backdoor access 


175.15.56.61 


206.156.61.6 


3462 


80 


2002-12-20 13:42:26 UTC 


297: WEB MISC - http-directoiy-traversal 


175.15J6.61 


206.156.61.6 


3463 


80 


200242-20 13:42:29 UTC 


297: WEB MISC - http-directoiy-trevetsal 


175.15.56.61 


206.156.61.6 


3464 


80 


'20024 2.M 13:«:^,U^^^ , 












2002-12-20 13:«:41 UTC 


spp_http_decode: IIS Unicode attack detected 


175.15J6.6l 


206.156.61.6 


3466 





FUb System Ckangas 



Cha«£e Checksum 





DIS Submit to 



New file HB«: Oecl7Sb9cO£ibfima91c909«260772S6J. 

SK&I: e49e9E441C3B92ffEBAAE4AAir95129K9rS4S?0ri 



MS-DOS CA:Win32Jfimda;A 
executable F7Secure;W32/Nimda.A@mm 
(EXE), Kaspersky:I-Worm.Nmida 
OS/2 or McAfee:W32/Nimda.gen@MM 
MS Noiman:Wm32/NimdaA@tnm 
Windows TfendMicro:PE^NIMDAA 

C:\WlHNT\SYSTEM32^d20.d]l finnW KD«: fl00W09«9cd24£b0d5S6af IdZetllf?? MS-DOS CA.TOl32.Nimda A ^ ^ ^ ' 

' changed '"t'?***"'^*'**""^'""^^"'^?"r"^xecutabl^^ 

(EXE), ' Kasperskyl-Woimilinida* 
OS/2 or McAfee:W32/Nimda.gen@MM 
MS Norman:W%i32/NimdaiA@inm5?^^ 
Windows TrendMicro-PE NIMDi*!AV'-;' 



NewfUe in>S:«6i»697d-7cb7938dS2s*2£3i**£i«ido MS-DOS CA:Wtn32.Nimda.A 

snAi:Dr*.5S*2a.PD90C7A7i:crDCsrBB«39«r4504S2 ,,,,^^^,1, F-Secure:W32/NimdaA.@mm 

(EXE), Kaspersky:I-Wormilimda 

OS/2 or McAfee:W32/Nimda.gen@MM 

MS Nonnan:^in32/Nimda.A@inm 

Windows TrendMicrof E NIMDAA 



[Oracle] [DIS] 



r Oracle ir DIS 1 



r Oracle U DIS 1 



Instance Events 


Times tamp 






Event 






2002^2-20^13:24:54 i;^C,|;^^ 












2002-12-2^13:24^6 UTC 






^Waiting 


















2OD2-12-20 13:42:41 UTC 






Breached 






200242-20 13:44:21 UTC 






Analyzed 






Commenis 












Oh\ious!y Nimda 


Just another Nimda infection. Bah. 














What about that FTP connection? What did it download? 













r Post Comment 1 
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5.4.2.35 Honey Pots : Instances : Events : <Instance> 

This page permits the user view the events associated with a honey pot instance. 



Honey Pots ; Instances : Events : 62856 



Timesta)ttp 



2002-12.20 1324:^4 UTC 

2002-12-20 13:24:56 UTC 

50Oili2O 13:42:22,UTC r .5 ' 

2002-12-20 13:42:41 UTC 

'2002-li20 13:43:12 UTCj'" I^IL" 

2002-12-20 13:44:21 UTC 



Starting 
Waiting 



?, , / sContacted 



Breached 

'^^■I'^~ir >3^f:-^ Suspended- 

Analyzed 



5 Pil 



5.4.2.36 Honey Pots : Work Queue : <Operator> 

This page permits the analyst view the honey pot instances that have been assigned to 
him by the dispatcher for review. 



HoneY Pots : Work Queue 


: Jason MUler 
















FRefiesh"! 


M 


Stalled 


Status 


System 


Seiver 


1 


47165 


2002-12^2014^5:12 UTC 


Analyzed 


: Windows NT AQ Default InstaU 


Calgary 1 


Detaiisir Evenki j 


71612 


2002-12-20 14:01:31 UTC 


Analyzed 


Windows 2000 SP3 Default Install 


Calgaiy 1 


[Details! [Events 1 


31672 


2002-12-20 13:24:54 UTC 


Reviewed 


RedHat 7J0 Default Install 


Santa Monica 1 


[Details UEvcntoli 


86576 


2002-12-20 12:14:31 UTC 


Review^ed 


Windows 2000 Default Install 


Calga]y2 


[Details 1 [Events! 


^36126" 


2002:^l2i!M 12:14:14^ 


iRevi^ed^ 


i:Wmdow»^2000SP'3 l^^^'^J^^I^f^^ 


/^^r DeUiilsiW'Eyenis ij 



5.4.2.37 Honey Pots : Work Queue Management 

This page permits the dispatcher view the list of honey pot instances, who they been 
assigned for review, and to assign an analyst for review. 



Honey Pots : Work Ou^e Manacement 














[Refiesh] 


Stalled Status System 


Seiver 


Reliev e I' 


1 



41561 2002-12-20 14:55:12 UTC Analyzed WndowstH' 4.0 Default^I^^ Calgary 1 f Details! [A ssigyx ! :[ £yefltg| i, 

61561 200242-20 U:01 31 UTC Anatyzed Windows 2000 SP3 Default InstaU Calgary 1 JasonMiHer [ Details 1 \ A ssign 1 \ Events 1 

6^315 2002-12-20 13:24:54 UTC Reviewed RedHat 7.0 Default Install SantaMonical EliasLcvy [ Details 1 f Assign l f Events l 

61661 2002-12-20 12:14:3 1 UTC Reviewed Windows 2000 Default Install Calgary 2 Jason Miller [ Delflals ] [ Assifin ] [ E vents ] 

61363 2002-12-20 12:14:14 UTC Reviewed Windows 2000 SP3 Defoult InstaE Santa Monica I Craig Davidson \ Details ] T ^^^ Mi gy;^;^ ! 
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5.4.2.38 Honey Pots : Work Queue Management : Assign 
<Instance> 

This page permits the dispatcher assign a honey pot instance to an analyst for review. 



Honey Pots ; Work Queue Management : Assign : 61713 

j Craig Davison ^ 
Assign | 



5.4.2.39 Honey Pots : Configuration Events 

This page permits the administrator view all configuration events. 



Honey Pots : Configuration Events 



Timestaitqi 



Action Type Object 



Opei-ator Co mine nts 



2002-12-25 14:1324 Edited Server Calgary 1 Elias Levy New hostname. 

2002-12-2310:0131 Created System Windows NT 4.0 Default Install Craig Davidson New Nt4;0; honey pot. 



5.5 Database Server 

The database server runs MS-SQL for data storage. 

IPv4 addresses are stored within the database as integers. The database library layer takes 
care of converting the binary number in the client's system from its native byte order to 
that of the database server, and vice versa. Thus, the is not required to perform any 
explicit byte order operations on the database before storing it or accessing it to 
interoperate with systems of a different byte order. 

5.5.1 Tables 

The database maintains the following tables: 
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5.5.1.1 ObjectStates Table 

The ObjectStates table maintains a list of constants that describe the different states 
some system objects can take. They permit an operator to add objects to the system 
without having the system act on them, and stop the system from acting on some objects 
without deleting them. 

When an object is in the Enabled state, the UI displays it normally and the system makes 
use of it. When an object is in the Disabled state, the UI displays it normally, but the 
system does not make use of it. When an object is in the Archived state, the UI onlly 
displays it if the user explicitly wants to view archived object, and the system does not 
make use of it. The UI permits a user to purge archived objects, which irrevocably deletes 
from the database the appropriate records. 



ObjectStates 


ID 


Int 


Primary Key. 
Identity. 


Identification number. 


Name 


Varchar 


Unique. Not Null. 


Object state name: "Enabled", "Disabled", or 
"Archived". 



5.5.1.2 OperatorActions Table 

The OperatorActions table maintains a list of constants that describe the different 
actions an operator can perform on the system objects. These include creating an object, 
enabling it, disabling it, archiving it, editing it, and deleting it. 



OperatorActions 


ID 


Int 


Primary Key. 
Identity. 


Identification number. 


Name 


Varchar 


Unique. Not Null. 


Action name: "Created", "Enabled", "Disabled", 
"Archived", "Edited", or "Deleted". 



5.5.1.3 HoneyPotOperators Table 

The HoneyPotOperators table maintains a list of accounts that can view and manage 

honey pot information. 



HoneyPotOperators 


ID 


Int 


Primary Key. 
Identity. 


Identification number. 


Account 


Varchar 


Unique. Not Null. 


The account name. 
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Password 


Varchar 


Not Null. 


The account password. 


oiaie 


ml 


roreign ivey. rvioi 
Null. 




/\QJTuIl 


oil 


IN 01 IMUll. 


wncinci iiic opciaiur is diiowcu lu auu 
operator accounts, changed passwords, etc. 




Bit 

oil 


Not Null 


WTi ether the nrierator Allowed to assign 
honey pot instances to operators for review. 


Analyst 


Bit 


Not Null. 


Whether the operator is allowed to review 
honey pot instances, post comments, etc. 



5.5.1.4 HoneyPotServers Table 

The HoneyPotServers table maintains a list of systems that manage honey pots. 



HoneyPotServers 


ID 


Int 


Primary Key. Identity. 


Identification Number 


State 


Int 


Foreign Key. Not Null. 


Reference to ObjectStatesrID. 


Name 


Varchar 


Unique. Not Null. 


Name of the honey pot server. 


Hostname 


Varchar 


Unique. Not Null. 


Hostname or IP address of the honey 
pot server. 


Type 


Int 


Foreign Key. Not Null. 


Reference to 
HoneyPotServerTypesiID. 



5.5.1.5 HoneyPotServerTypes Table 

The HoneyPotServerTypes table maintains a list of constants that describe the different 
types of honey pot servers. Initial versions of AQS support only one type of honey pot 
server, VMware. It is foreseen that future versions of AQS will support other honey pot 
server types, such as MapTrap. 



HoneyPotServerTypes 


ID 


Int 


Primary Key. Identity. 


Identification number. 


Name 


Varchar 


Unique. Not Null. 


Honey pot server type name: "VMware". 
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5.5.1.6 HoneyPotNetworks Table 

The HoneyPotNetworks table maintains a list of routable IPv4 addresses ranges that are 

mapped to the honey pot systems. IPv4 address ranges must not overlap. 



HoneyPotNetworks 


ID 


Int 


Primary Key. 
Identity. 


Identification number. 


State 


Int 


Foreign Key. 
iNoi rsiuii. 


Reference to ObjectStates:ID. 


FirstAddr 


Bigint 


Unique. Not 
Null. 


First IPv4 address in the IPv4 address range 
(inclusive). This IPv4 address must be lower within 
the IPv4 address space than the IPv4 address in the 
Last column. 


LastAddr 


Bigint 


Unique. No 
Null 


Last IPv4 address in the IPv4 address range 
(inclusive). This IPv4 address must be higher within 
the IPv4 address space than the IPv4 address in the 
First column. 



5.5.1.7 HoneyPot Addresses Table 

The Honey PotAddresses table maintains the state of routable IPv4 address available for 
mapping by honey pot systems. 



Honey PotAddresses 


ID 


Int 


Primary Key. 
Identity. 


Identification number 


Address 


Bigint 


Unique. Not Null. 


A honey pot routable IPv4 address. 


State 


Int 


Foreign Key. Not 
Null. 


Reference to HoneyPotAddressStates:ID. 
The state of the address. 


System 


Int 


Foreign Key. 


Reference to Honey PotSystems:ID or 

NULL, The honey pot system the address is 
mapped to, if any. 


Available 


Datetime 


Not Null. Default 
Dateadd(second,(- 
l),Getdate()) 


The date and time after which an Unassigned 
address, becomes available for assignment. 
This field is set to a future time to permit 
Bound addresses to "cool off after they 
become Unassigned, 
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5.5.1.8 HoneyPotAddressStates Table 

The HoneyPotAddressStates table maintains a list of constants that describe the 

different states of routable addresses available for mapping by honey pot systems. 



HoneyPotAddressStates 


ID 


Int 


Primary Key. 
Identity. 


Identification number 


Name 


Varchar 


Unique. Not Null. 


Honey pot address state name: "Unassigned", 

"Assigned", or "Bound" 



5.5.1.9 HoneyPotAddressEvents Table 

The HoneyPotAddressEvents table maintains an audit trail of the honey pot addresses. 



HoneyPotAddressEvents 


ID 


Int 


Primary Key. 
Identity. 


Identification number. 


Timestmp 


Datetime 


Not Null. 

Defauh 

GetdateO 


The date and time when the event 
occurred. 


Address 


Int 


Not Null. 
Foreign Key. 


Reference to HoneyPotAddresses:ID. 


State 


Int 


Foreign Key. 
Not Null. 


Reference to 
HoneyPotAddressStates:ID. 


Instance 


Int 


Foreign Key. 


Reference to HoneyPotlnstancesiID if 

the State is Bounds or NULL, 


System 


Int 


Foreign Key. 


Reference to HoneyPotSystemsrID if 
the State is Bound, or NULL. 



5.5.1.10 HoneyPotSystems Table 

The HoneyPotSystems table maintains a hst of honey pot systems. It maps honey pot 

systems to honey pot servers. 



HoneyPotSystems 


ID 


Int 


Primary Key. 
Identity. 


Identification number 
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ocrvcr 


Tnt 


Not Null. 


1^ pfpTPn to 

HoneyPotServers: :ID. 




Tnt 


T^nrpi on TC e v 

Not Null. 


R eferpn p£* to 

ObjectStates:ID. 


Name 


Varchar 


Unique. Not 
Null. 


Descriptive name of the 
honey pot system. 


Weight 


Tinyint 


Not Null. 


Numeric value that acts as a 
weight when assigning 
routable IPv4 addresses to 
honey pots. All of a honey 
pot server's honey pot 
weights are added and the 
honey pot's weight is used 
to compute the percentage 
of routable IPv4 addresses 

fViQt clir\iilrl V^p ticcicmpH in if 
LIld.1 ollUUlLl UC aool^lCLl lU IL. 


Networklnterface 


Varchar 


Unique. Not 
Null. 


Network mterface to the 
network connected to the 

honey pot. 


PrivateIPv4Address 


Bigint 


Unique. Not 
Null. 


Private IPv4 address of the 
honey pot system. 



5.5.1.11 HoneyPotlnstances Table 

The HoneyPotlnstances table maintains a list of honey pot instances. It maps honey pot 
instances to honey pot systems. 



HoneyPotlnstances 


ID 


Int 


Primary Key. 
Identity. 


Identification number 


System 


Int 


Foreign Key. 
Not Null. 


Reference to Honey PotSystems::ID. 


Started 


Datetime 


Not Null. 


Date and time when the instance was 
created. 
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Status 


Int 


Foreign Key. 
Not Null. 


Reference to 
HoneyPotInstaiiceStatus::ID. Set by 

the honey pot server. It represents the 
status the honey pot instance is in. 


Reviewer 


Int 


Foreign Key. 


Reference to HoneyPotOperators::ID 

or NULL, It represents to operator 
assigned to review the breach of the 
honey pot instance. 



5.5.1.12 HoneyPotlnstanceStatus Table 

The HoneyPotlnstanceStatus table maintains a Ust of constants that describe the 
different honey pot instance statuses. 



HoneyPotlnstanceStatus 


ID 


Int 


Primary Key. 
Identity. 


Identification number. 


Name 


Varchar 


Unique. Not 
Null. 


Honey pot instance state name: "Starting", 
"Executing" "Waiting", "Contacted", 
"Breached", "Stopping", "Suspended", 
"Halted", "Analyzed", and "Reviewed". 



5.5.1.13 HoneyPotlnstanceEvents Table 

The HoneyPotlnstanceEvents table maintains an audit trail of the state of the honey 
pots. 



HoneyPotlnstanceEvents 


ID 


Int 


Primary Key. 
Identity. 


Identification number. 


Timestmp 


Datetime 


Not Null. 

Default 

GetdateO 


The date and time when the event 
occurred. 


Instance 


Int 


Foreign Key. 
Not Null. 


Reference to HoneyPotInstances:ID. 


Status 


Int 


Foreign Key. 
Not Null. 


Reference to 
HoneyPotInstancesStatus:ID. 
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Operator 


Int 


Foreign Key. 


Reference to HoneyPotOperators:ID 








or NULL, If the Status is Reviewed^ the 








operator that reviewed the instance. 



5.5.1.14 HoneyPotlnstanceComments Table 

The HoneyPotlnstanceComments table maintains a list of comments on honey pot 

instances by operators. 



HoneyPotlnstanceComments 


ID 


Int 


Primary Key. 
Identity. 


Identification number. 


Instance 


Int 


Foreign Key. 
Not Null 


Reference to 
Honey PotInstances::ID. 


Operator 


Int 


Foreign Key. 
Not Null. 


Reference to 
Honey PotOperators::ID or NULL, 
It represents the operator that posted 
the comment. 


Timestmp 


Datetime 


Not Null 


Date and time when the conraient was 
posted. 


Subject 


Varchar 


Not Null. 


The comments subject. 


Comment 


Varchar 


Not Null. 


The comment. 



5.5.1 . 1 5 HoneyPotE vents Table 

The HoneyPotEvents table maintains an audit trail of actions performed by operators. 



HoneyPotEvents 


ID 


Int 


Primary Key. 
Identity. 


Identification number. 


Timestmp 


Datetime 


Not Null. 

Default 

GetDateO 


The date and time when the event 
occurred. 


ObjectType 


Int 


Not Null. 


Reference to 
HoneyPotObjectTypestlD. The object 
type target of this event. 
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Object 


Int 


Not Null. 


Reference to HoneyPotOperators:ID, 
HoneyPotServers:ID, 
HoneyPotNetworksrID, or 

tl O n cy r U ii9 y 3 ICilla • 11/ . 


Operator 


Int 


Not Null. 


Reference to HoneyPotOperatorsrID. 

1 nc upci alur iiiai per iurincu. inc av/iiuii 
that led to the event. 


C\r\ A nil 
Vw/p/^.wllUIl 


Tnt 
nil 


Not Null. 


iVClCrCilL^C lU ^^Ci StlUl /l.Cl.lU09«lliF. 




\/ Qf/* ri Qf 
V ardldl 


Not tJiill 


r\, UCodtpilUll Ul UlC <lL/liUIl laJvCIX 

generated by the system. 


Comment 


Varchar 




Optional comment entered by the 
operator describing the changes. 



5.5.1.16 HoneyPotObjectTypes Table 

The HoneyPotObjectTypes table maintains a list of constants that describe the different 
honey pot object types operators can manage. 



HoneyPotObjectTypes 


ID 


Int 


Primary Key. 

Identity. 


Identification number. 


Name 


Varchar 


Unique. Not 
Null. 


Honey pot object name: "Operator", 
"Server", ^TsTetwork", "System", and 

"VMwareArchetype". 



5.5.1.17 VMwareHoneyPotSystems Table 

The VMwareHoneyPotSystems table maintains a list of attributes specific to VMware 
honey pots. It maps a honey pot system to one or more archetypes. The honey pot system 
must be associated with a honey pot server of type "VMware". The same archetype can 
be mapped to more than one honey pot system. 



VMwareHoneyPotSystems 


ID 


Int 


Primary Key. 
Identity. 


Identification number. 


System 


Int 


Foreign Key. Not 
Null. Unique. 


Reference to 
HoneyPotSystems:ID. 
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Archetype 


Int 


Foreign Key. Not 
Null. 


Reference to 
VMwareHoneyPotArchety 
pes::ID. 


EthemetAddress 


Char(17) 


Unique. Not Null 

Must match the 

expression 

'00-50'56-rO-3irO- 

9A-F]:[0-9A- 

F][0-9A-F]:[0- 

9A-F][0-9A-F]\ 


Ethernet address of the 
honey pot system. The 
address must be of the form 
00:50:56:XX: YY:ZZ. where 
XX is a hex number between 
OOh and 3Fh, and YY and ZZ 
are hex numbers between 
OOh and FFh. 



5.5.1 VMwareHoney Pot Archetypes Table 

The VMwareHoney PotArchetypes table maintains a list of VMware honey pot 
archetypes. 



VMwareHoney PotArchetypes 


ID 


Int 


Primary Key. 
Identity. 


Identification number. 


Name 


Varchar 


Unique. Not Null. 


Honey pot archetype name. 


Description 


Varchar 


Not Null. 


Description of the archetype, such 

as what operating system is 
installed, what appHcations, their 
configuration, etc. 


Filename 


Varchar 


Unique. Not Null. 


Filename of the archetype. 



5.5.1.19 FileSystemChanges Table 

The FileSystemChanges table maintains a list of changes to the file system of honey pot 
instances detected during post-intrusion analysis. 

A change of Deleted indicates the file was removed fi-om the file system. A change of 
Metadata indicates the file's metadata (inode number, permissions, number of links, user- 
id, group-id, modification time, metadata modification time, ext2 attributes, ACLs, NTFS 
streams, FAT attributes, etc) were modified. A change of Content indicates the file's 
contents were modified. A change of Created indicates the file did not previously exist 
and was newly created. 



FileSystemChanges 
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IJJ 


ini 


rnmary ivey. 
Identity. 


laeniiiicaiion numDer. 


Instance 


Int 


Foreign Key. 

XT -.4. XTiill 

INOt INUll. 


Reference to HoneyPotInstances:ID. 


Filename 


Varchar 


JNOt JNUll. 


riiename 01 me aiiecteu iiie. 


Path 


Varchar 


Not Null. 


Path to the affected file. 


Deleted 


Bit 




Whether the file was deleted. 


ivieiaQaia 


Hit 
oil 




wneiner mc 11 ic s m.viauaia wao 
modified. 


Content 


Bit 




Whether the file's content was 
modified. 




Dll 




w nemer ine lue was creaiea. 


Description 


Varchar 


Not Null. 


Description of the changes if the 
Metadata flag is set (e.g. "user-id 
cnangea irom rooi 10 oin ), 


MD5 


Char(32) 




The MD5 hash of the file's contents, 
if the Change flags Content or 
{^reuieci die SCI, or lyuj^J^, 


SHAl 


Char(40) 




The SHAl hash of the file's contents, 
if the Change flags Content or 
\^r6ui€u are sei, 01 lyuijLj, 


Type 


Varchar 




A description of the type of the file, if 
the Change flags Content or Created 

ot*o c of" /\ir \TT JT T 
olC SCI, Ur lyUl^i^, 


MMEType 


Varchar 




The MIME type of the file, if the 
Change flags Content or Created are 

oof r\r' ATT TT T 
Sei, or lyUL,L,, 


Malware 


Varchar 




The type of malware the file is a 
Content or Created are set, or NULL. 


DIS 


Varchar. 




Result fi-om DIS, if the Change flags 
Content or Created are set, or NULL 
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5.5.1.20 RemoteSystems Table 

The RemoteSystems table maintains a list of remote systems seen conmiunicating with a 

honey pot instance. 



RemoteSystems 



ID 


Int 


Primary Key. 
Identity. 


Identification number. 


Instance 


Int 


Foreign Key. Not 
Null. 


Reference to Honey PotInstances:ID. 


Address 


Bigint 


XT^x XT 11 

Not Null. 


IPv4 address of the remote system. 


Hostname 


Varchar 




Hostname associated to the remote 
system by performing a reverse DNS 
query on the remote system's IPv4 
address, or NULL if the query retumed no 

result. 


PassiveOS 


Varchar 




Operating system of the remote system 
estimated via passive fingerprinting, or 
NULL if undetermined. 


ActiveOS 


Varchar 




Operating system of the remote system 
estimated via active fingerprinting, or 
NULL if undetermined. 


Uptime 


Varchar 




System uptime, or NULL if undetermined. 


TCPSequence 


Varchar 




The difficulty of guessing the system's 
TCP sequence numbers, or NULL if 
undetermined. 


5.5.1.21 RemoteSystemPorts Table 

The RemoteSystemPorts table maintains a list of accessible ports in a remote system. 


RemoteSystemPorts 


RemoteSystem 


Int 


Foreign Key. 
Not Null. 


Reference to RemoteSystems:ID. 


Port 


Int 


Not Null. 


The port number. 


TCP 


Bit 


Not Null. 


If it is not TCP, then it must be UDP. 
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Tnt 


Null. 


JxCICrClICv 

ReinoteSysteinPortStates:ID. 


Ident 


Varchar 




Information returned by ident for the port 
number, or NULL if undetermined. 


RPC 


Int 




If an RPC service is listening in the Open 
port, its RPC program number and 
version, or NULL if the port is Unfiltered, 
Filtered or Closed, or no RPC service is 
listening on it. 



5.5.1.22 RemoteSystemPortStates Table 

The RemoteSystemPortStates table maintains a list of constants that describe the 

different states of a port. 



HoneyPotAddressStates 


ID 


Int 


Primary Key. 
Identity. 


Identification number 


Name 


Varchar 


Unique. Not Null. 


Port state name: "Open", "Closed", "Filtered", or 
"Unfiltered". 



5.5,1.23 NetworkEvents Table 

The NetworkEvents table maintains a list of network events (probes and attacks) 

detected by an IDS against a honey pot instance. 



NetworkEvents 


ID 


Int 


Primary Key. 
Identity. 


Identification number 


Instance 


Int 


Foreign Key. 
Not Null. 


Reference to 
Honey FotlnstancesiID. 


Timestmp 


Datetime 


Not Null. 


The date and time of the event. 


SnortlD 


Int 


Not Null. 


The snort signature id that matched 
the event. 


Revision 


Smallint 


Not Null. 


The snort signature revision that 
matched the event. 
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Message 


Varchar 


Not Null. 


The snort message. 


o u urv/C/\uurcao 


Digini 


XTrkt Mull 


inc source duurcoD ui uic iiiaiL/iiwu 
IPv4 traffic. 


DestinationAddress 


Bigint 


Not Null. 


The destination address of the 
matched IPv4 traffic. 


1 roiocol 


V oFCnaF 




iuc proiov/Oi lOdi gciicrd.icu iiic cvcixi. 


SourcePort 


Int 




The source port number if the event 
was generated by TCP or UDP 

11 dlllV/. 


DestinationPot 


Int 




The destination port number of the 
event was generated by TCP or UDP 
traffic. 



5.5.2 Entity Relationship Diagrams 

The following are partial entity relationship diagrams (ERDs) of the tables described 
earlier. 
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PK 


la 


U1 


Address 




State 


FK1 


System 




Available 



HSndyPotServers 


PK 


ID 




State 


U1 


Name 


U2 


Hostname 




Type 







PK 


IB 


FK1 


Server 




State 




U1 


Name 






Weight 


U2 


Networklnterface 


U3 


PrtvatelPv4Addre$s 
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PK 




FK1 


System 
Started 
Status 

Reviewer 



V M wa re H oney PotSy stem S; 



PK la 



FK1 
FK2 



System 

Archetype 

EthernetAddress 



PK 



ID 



U1 
U2 



Name 

Description 
Filename 



;HoneyPopetwpflcsf 


PK 


ID 




State 

FirstAddr 

LastAddr 
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H 0 ney PotServe rType s 


PK 




U1 


Name 



; VMwareHoneyPpt/Vxhet^^ 


PK 


ID 


U1 


Name 




Description 


U2 


Filename 
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PK 


IGL 


U1 


Name 



ml Q n cy It O lOjC«^^^o|^ 


PK 


10 


FK2 


State 


Ul 


Name 


U2 


Hostname 


FK1 


Type 



I 





PK 


!D 


FK1 


Server 


FK2 


State 


lui 


Name 




Weight 


U2 


Networklnterface 


U3 


PrtvatelPv4Address 





PK 


ID 


FK1 
FK2 


Sy$lem 

Archetype 

EthemetAddress 
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ObjeCtStat^s^ 


PK 


ID 


U1 


Namo 



Hon'^yPotN^tworks- 


PK 


!D 


PK1 


State 

FirstAddr 

LastAddr 





PK 




U1 


Name 





* < ^At-\- 


PK 


IB 




Server 


FK1 


State 


U1 


Name 




i Weight 


U2 


Network! nterface 


U3 


PrivatelPv4Address 



Hqney^olAddnesses ' 


PK 


IB 


U1 

FK1 

FK2 


Address 

State 

System 

Available 







PK 


IB 


FK1 

FK2 

FK3 


TImestmp 
Address 
Operator 
State 

System 
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HonoyPotSystoms 


PK 


IB 




Server 




Slate 


U1 


Name 




Weight 


U2 


Network Interface 


U3 


PrlvatelPv4Address 



Honey PotOperators 


PK 




U1 


Account 




Password 




Admin 




Dispatcher 




Analyst 




Slate 



Hohi&yPotlnstanceGbmments 


PK 


iD 


FK1 


Instance 


FK2 


Operator 




Timestmp 




Comment 



H^neyPotlnstaigsesEventS' 


PK 


la 




Timestmp 


FKt 


Instance 


FK2 


Status 


FK3 


Operator 



HorieyPotlnslanceStatos 




PK 






<- 


U1 


Name 







PK 




FK3 


System 




Started 


FK1 


Status 


FK2 


Reviev/er 



FileSystemChangeSf 


PK 


!D 


FK1 


Instance 




Filename 




Path 




Deleted 




Metadata 




Content 




Created 




Description 




MD5 




SHA1 




Type 




Ml ME Type 




Malware 




Ois 



:j;|||||if|gH 


PK 


i& 


FK1 


Instance 




Timestmp 




SnortID 




Revision 




SourceAddress 




DestinationAddress 




SourcePort 




DestinationPorl 



BemoteSysterhs? ^ 


PK 




FK1 


instance 




Address 




Hostname 




PasslveOS 




ActiveOS 




Uptimo 




TCPSoquenco 



RemoteSystemPpr^^ : 






FK2 
FK1 


RemoteSystom 

Port 

TCP 

State 

Icent 
RPC 




r 



RempteSystemPqIilStates 


PK 


lEL 


U1 


Name 
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5.5.2.5 Operators and Events 



■ 




PK 


!fi. 


U1 


Name 







Hone)f>dtOb|e<:tT^pes 


PK 


!D 


U1 


Name 



HoneyPotdperators 


PK 


!fi 


U1 


Account 




Password 




Admin 




Dispatcher 




Analyst 


FK1 


State 



Opei^tdfiA^btiGnsi 


PK 


IE 


U1 


Name 



PK 


!fi 




TImestmp 


FK1 


ObjectTypo 




Object 


FK2 


Operator 


FK3 


OpActlon 




Description 




Comment 
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6. External Dependencies 



6.1 DeepSight TMS 



The DeepSight TMS team is building a database of TCP and UDP port number 
information, as well as RPC program number information. Once their work is complete, 
we will integrate with them in a future revision by creating a link that opens a small 
window from a remote system port numbers' in an instance's detailed information which 
displays information associated with the port number such as its associated protocols, 
description, and known vulnerabilities. 



If the Santa Monica team wishes to receive not only captures executable samples, but 
also any ancillary data (e.g. packet dumps), then they need to define a file format to 
capture such data that can be processed by DIS. For example, we could archive the 
captured executable with the ancillary data in a ZIP format file. 



6.2 DIS 
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